Summary:





NtAddAtom(>)  1 
NtUserGetDC(>)  1 
NtDeviceIoControlFile(>)  6 
NtQueryDefaultLocale(>)  21 


NtCallbackReturn(>)  1 
NtUserGetObjectInformation(>)  1 
NtEnumerateKey(>)  6 
NtQueryInformationFile(>)  22 


NtConnectPort(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtSetEvent(>)  6 
NtCreateEvent(>)  23 


NtContinue(>)  1 
NtUserGetThreadDesktop(>)  1 
NtWriteFile(>)  6 
NtQueryDebugFilterState(>)  23 


NtCreateProcessEx(>)  1 
NtAccessCheck(>)  2 
NtQueryDirectoryFile(>)  7 
NtOpenProcessTokenEx(>)  26 


NtCreateThread(>)  1 
NtDuplicateObject(>)  2 
NtReadFile(>)  7 
NtOpenThreadTokenEx(>)  26 


NtDelayExecution(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetInformationProcess(>)  8 
NtProtectVirtualMemory(>)  27 


NtDuplicateToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateKey(>)  9 
NtFreeVirtualMemory(>)  31 


NtEnumerateValueKey(>)  1 
NtOpenProcess(>)  2 
NtCreateSemaphore(>)  10 
NtQueryInformationToken(>)  32 


NtFsControlFile(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtOpenMutant(>)  10 
NtQuerySection(>)  33 


NtGdiCreateBitmap(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtQuerySystemInformation(>)  33 


NtGdiInit(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtRequestWaitReplyPort(>)  10 
NtCreateSection(>)  46 


NtGdiQueryFontAssocInfo(>)  1 
NtReadVirtualMemory(>)  2 
NtUserSystemParametersInfo(>)  10 
NtUserUnregisterClass(>)  46 


NtGdiSelectBitmap(>)  1 
NtTerminateProcess(>)  2 
NtCreateMutant(>)  11 
NtUserFindExistingCursorIcon(>)  48 


NtOpenKeyedEvent(>)  1 
NtClearEvent(>)  3 
NtReleaseMutant(>)  11 
NtQueryVirtualMemory(>)  52 


NtQueryEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryVolumeInformationFile(>)  12 
NtOpenSection(>)  57 


NtQueryInformationJobObject(>)  1 
NtNotifyChangeKey(>)  3 
NtFlushInstructionCache(>)  13 
NtUserRegisterClassExWOW(>)  63 


NtQueryObject(>)  1 
NtOpenEvent(>)  3 
NtSetValueKey(>)  13 
NtMapViewOfSection(>)  69 


NtQueryTimerResolution(>)  1 
NtReleaseSemaphore(>)  3 
NtQueryInformationProcess(>)  14 
NtOpenFile(>)  73 


NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtSetInformationFile(>)  14 
NtUserGetClassInfo(>)  82 


NtResumeThread(>)  1 
NtWaitForMultipleObjects(>)  3 
NtSetInformationThread(>)  14 
NtAllocateVirtualMemory(>)  114 


NtSecureConnectPort(>)  1 
NtWriteVirtualMemory(>)  4 
NtUnmapViewOfSection(>)  17 
NtQueryAttributesFile(>)  125 


NtTestAlert(>)  1 
NtGdiGetStockObject(>)  5 
NtWaitForSingleObject(>)  19 
NtOpenKey(>)  192 


NtUserCallNoParam(>)  1 
NtOpenProcessToken(>)  5 
NtCreateFile(>)  20 
NtClose(>)  330 


NtUserCallOneParam(>)  1 
NtOpenThreadToken(>)  5 
NtUserRegisterWindowMessage(>)  20 
NtQueryValueKey(>)  339 





Trace:

 00001   540   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   540   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   540   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   540   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   540   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   540   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   540   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   540   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   540   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   540   NtClose  (12, ... ) == 0x0
 00014   540   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   540   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   540   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   540   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   540   NtClose  (16, ... ) == 0x0
 00021   540   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   540   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   540   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   540   NtClose  (16, ... ) == 0x0
 00026   540   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   540   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   540   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   540   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   540   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 536, 540, 1447, 0} "\360\227\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 536, 540, 1447, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 536, 540, 1447, 0} "\360\227\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   540   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   540   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   540   NtClose  (16, ... ) == 0x0
 00036   540   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   540   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   540   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   540   NtClose  (28, ... ) == 0x0
 00041   540   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   540   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   540   NtClose  (28, ... ) == 0x0
 00045   540   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   540   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   540   NtClose  (28, ... ) == 0x0
 00049   540   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   540   NtClose  (28, ... ) == 0x0
 00052   540   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   540   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   540   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   540   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 536, 540, 1448, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 536, 540, 1448, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 536, 540, 1448, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00057   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00058   540   NtClose  (28, ... ) == 0x0
 00059   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   540   NtClose  (28, ... ) == 0x0
 00062   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   540   NtClose  (28, ... ) == 0x0
 00065   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   540   NtClose  (28, ... ) == 0x0
 00068   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00070   540   NtClose  (28, ... ) == 0x0
 00071   540   NtProtectVirtualMemory  (-1, (0x4f52d4), 644, 4, ... (0x4f5000), 4096, 8, ) == 0x0
 00072   540   NtProtectVirtualMemory  (-1, (0x4f5000), 4096, 8, ... (0x4f5000), 4096, 4, ) == 0x0
 00073   540   NtFlushInstructionCache  (-1, 5197824, 644, ... ) == 0x0
 00074   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   540   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00076   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00078   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00079   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00080   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00081   540   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00082   540   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00083   540   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00084   540   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00086   540   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00087   540   NtClose  (40, ... ) == 0x0
 00088   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00090   540   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00091   540   NtClose  (40, ... ) == 0x0
 00092   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   540   NtClose  (36, ... ) == 0x0
 00094   540   NtClose  (28, ... ) == 0x0
 00095   540   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00096   540   NtClose  (32, ... ) == 0x0
 00097   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00098   540   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00099   540   NtClose  (32, ... ) == 0x0
 00100   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00104   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00105   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00106   540   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00107   540   NtClose  (32, ... ) == 0x0
 00108   540   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00109   540   NtClose  (28, ... ) == 0x0
 00110   540   NtProtectVirtualMemory  (-1, (0x4f52d4), 644, 4, ... (0x4f5000), 4096, 4, ) == 0x0
 00111   540   NtProtectVirtualMemory  (-1, (0x4f5000), 4096, 4, ... (0x4f5000), 4096, 4, ) == 0x0
 00112   540   NtFlushInstructionCache  (-1, 5197824, 644, ... ) == 0x0
 00113   540   NtProtectVirtualMemory  (-1, (0x4f52d4), 644, 4, ... (0x4f5000), 4096, 4, ) == 0x0
 00114   540   NtProtectVirtualMemory  (-1, (0x4f5000), 4096, 4, ... (0x4f5000), 4096, 4, ) == 0x0
 00115   540   NtFlushInstructionCache  (-1, 5197824, 644, ... ) == 0x0
 00116   540   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00117   540   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00118   540   NtClose  (28, ... ) == 0x0
 00119   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00120   540   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00121   540   NtClose  (28, ... ) == 0x0
 00122   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00123   540   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00124   540   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00125   540   NtClose  (28, ... ) == 0x0
 00126   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00127   540   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   540   NtClose  (28, ... ) == 0x0
 00129   540   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00130   540   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00131   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00133   540   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 536, 540, 1449, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 536, 540, 1449, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 536, 540, 1449, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00134   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   540   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00136   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00137   540   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00138   540   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481956, ) == 0x0
 00139   540   NtQueryInformationToken  (-2147481956, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00140   540   NtQueryInformationToken  (-2147481956, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00141   540   NtClose  (-2147481956, ... ) == 0x0
 00142   540   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00143   540   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00144   540   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00145   540   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00146   540   NtQueryValueKey  (-2147481956,  (-2147481956, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   540   NtClose  (-2147481956, ... ) == 0x0
 00148   540   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00149   540   NtQueryValueKey  (-2147481956,  (-2147481956, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150   540   NtClose  (-2147481956, ... ) == 0x0
 00151   540   NtQueryDefaultLocale  (0, -136148468, ... ) == 0x0
 00152   540   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00153   540   NtUserCallNoParam  (24, ... ) == 0x0
 00154   540   NtGdiCreateCompatibleDC  (0, ...
 00155   540   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00154   540   NtGdiCreateCompatibleDC  ... ) == 0x50103db
 00156   540   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00157   540   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00158   540   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x30503e1
 00159   540   NtGdiCreateSolidBrush  (0, 0, ...
 00160   540   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9502720, 4096, ) == 0x0
 00159   540   NtGdiCreateSolidBrush  ... ) == 0x1210031a
 00161   540   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00162   540   NtGdiCreateCompatibleDC  (0, ... ) == 0xa01031e
 00163   540   NtGdiSelectBitmap  (167838494, 50660321, ... ) == 0x185000f
 00164   540   NtUserGetThreadDesktop  (540, 0, ... ) == 0x2c
 00165   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00166   540   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00167   540   NtClose  (52, ... ) == 0x0
 00168   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00169   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810ec017
 00170   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00171   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810ec01c
 00172   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00173   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810ec01e
 00174   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00175   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810e8002
 00176   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00177   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810ec018
 00178   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00179   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810ec01a
 00180   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00181   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810ec01d
 00182   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00183   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810ec026
 00184   540   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00185   540   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810ec019
 00186   540   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec020
 00187   540   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec022
 00188   540   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00189   540   NtAllocateVirtualMemory  (-1, 6451200, 0, 4096, 4096, 32, ... 6451200, 4096, ) == 0x0
 00188   540   NtUserRegisterClassExWOW  ... ) == 0x810ec023
 00190   540   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec024
 00191   540   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec025
 00192   540   NtCallbackReturn  (0, 0, 0, ...
 00193   540   NtGdiInit  (... ) == 0x1
 00194   540   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00195   540   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00196   540   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00197   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00198   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 60, ) }, ... 60, ) == 0x0
 00199   540   NtNotifyChangeKey  (60, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00200   540   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00201   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00202   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00203   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00204   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9568256, 65536, ) == 0x0
 00205   540   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00206   540   NtAllocateVirtualMemory  (-1, 9572352, 0, 8192, 4096, 4, ... 9572352, 8192, ) == 0x0
 00207   540   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 72, ) }, ... 72, ) == 0x0
 00208   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x930000), 0x0, 12288, ) == 0x0
 00209   540   NtClose  (72, ... ) == 0x0
 00210   540   NtAllocateVirtualMemory  (-1, 9580544, 0, 4096, 4096, 4, ... 9580544, 4096, ) == 0x0
 00211   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00213   540   NtTestAlert  (... ) == 0x0
 00214   540   NtContinue  (1244464, 1, ...
 00215   540   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x422360,}, 4, ... ) == 0x0
 00216   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00217   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9699328, 65536, ) == 0x0
 00218   540   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 00219   540   NtAllocateVirtualMemory  (-1, 9703424, 0, 8192, 4096, 4, ... 9703424, 8192, ) == 0x0
 00220   540   NtAllocateVirtualMemory  (-1, 9711616, 0, 4096, 4096, 4, ... 9711616, 4096, ) == 0x0
 00221   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 72, ) }, ... 72, ) == 0x0
 00222   540   NtQueryValueKey  (72,  (72, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00223   540   NtClose  (72, ... ) == 0x0
 00224   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00225   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00226   540   NtClose  (72, ... ) == 0x0
 00227   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00228   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00229   540   NtClose  (72, ... ) == 0x0
 00230   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00231   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00232   540   NtClose  (72, ... ) == 0x0
 00233   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00234   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00235   540   NtClose  (72, ... ) == 0x0
 00236   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00237   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00238   540   NtClose  (72, ... ) == 0x0
 00239   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 72, ) }, ... 72, ) == 0x0
 00240   540   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00241   540   NtClose  (72, ... ) == 0x0
 00242   540   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00243   540   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00245   540   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00246   540   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00247   540   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00248   540   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 72, ) }, ... 72, ) == 0x0
 00249   540   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1240600, 0,  (0x1f0003, {24, 72, 0x80, 1240600, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00250   540   NtOpenEvent  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 76, ) }, ... 76, ) == 0x0
 00251   540   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00252   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00253   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00254   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00255   540   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00256   540   NtClose  (80, ... ) == 0x0
 00257   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00258   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00259   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00260   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00261   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00262   540   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   540   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   540   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   540   NtClose  (80, ... ) == 0x0
 00266   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00267   540   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   540   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   540   NtClose  (80, ... ) == 0x0
 00270   540   NtOpenEvent  (0x1f0003, {24, 72, 0x0, 0, 0,  (0x1f0003, {24, 72, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   540   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00272   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   540   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   540   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00275   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00276   540   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00277   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00278   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00279   540   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00280   540   NtClose  (80, ... ) == 0x0
 00281   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00282   540   NtSetInformationObject  (80, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00283   540   NtCreateKey  (0xf003f, {24, 80, 0x40, 0, 0,  (0xf003f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 00284   540   NtQueryDefaultUILanguage  (1238836, ...
 00285   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00286   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00287   540   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00288   540   NtClose  (-2147481956, ... ) == 0x0
 00289   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00290   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   540   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481964, ) }, ... -2147481964, ) == 0x0
 00292   540   NtQueryValueKey  (-2147481964,  (-2147481964, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   540   NtClose  (-2147481964, ... ) == 0x0
 00294   540   NtClose  (-2147481956, ... ) == 0x0
 00284   540   NtQueryDefaultUILanguage  ... ) == 0x0
 00295   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   540   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00297   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 88, {status=0x0, info=1}, ) }, 1, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00298   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 88, ... 92, ) == 0x0
 00299   540   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 593920, ) == 0x0
 00300   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   540   NtQueryDefaultUILanguage  (2013024600, ...
 00302   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00303   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00304   540   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00305   540   NtClose  (-2147481956, ... ) == 0x0
 00306   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00307   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   540   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481964, ) }, ... -2147481964, ) == 0x0
 00309   540   NtQueryValueKey  (-2147481964,  (-2147481964, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   540   NtClose  (-2147481964, ... ) == 0x0
 00311   540   NtClose  (-2147481956, ... ) == 0x0
 00301   540   NtQueryDefaultUILanguage  ... ) == 0x0
 00312   540   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00313   540   NtQueryDefaultLocale  (1, 1236872, ... ) == 0x0
 00314   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   540   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1X\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1450, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1X\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 536, 540, 1450, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1X\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1450, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1X\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00316   540   NtClose  (88, ... ) == 0x0
 00317   540   NtClose  (92, ... ) == 0x0
 00318   540   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00319   540   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00320   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00321   540   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00323   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00324   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235412, ... ) }, 1235412, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00326   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00327   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00328   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236004, ... ) }, 1236004, ... ) == 0x0
 00329   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 92, {status=0x0, info=1}, ) }, 3, 33, ... 92, {status=0x0, info=1}, ) == 0x0
 00330   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00331   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00332   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 96, ) == 0x0
 00333   540   NtClose  (88, ... ) == 0x0
 00334   540   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 921600, ) == 0x0
 00335   540   NtClose  (96, ... ) == 0x0
 00336   540   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00337   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00338   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 88, ) == 0x0
 00339   540   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00340   540   NtClose  (96, ... ) == 0x0
 00341   540   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00342   540   NtClose  (88, ... ) == 0x0
 00343   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00344   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00345   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00346   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00347   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00348   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00349   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00350   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00351   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00352   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00353   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00354   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00355   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00356   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00357   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00358   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00359   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00360   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00361   540   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00362   540   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00363   540   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00364   540   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237188, ... ) , 42, 1237188, ... ) == 0x0
 00365   540   NtQueryDefaultUILanguage  (1235904, ...
 00366   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00367   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00368   540   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00369   540   NtClose  (-2147481956, ... ) == 0x0
 00370   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00371   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   540   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481964, ) }, ... -2147481964, ) == 0x0
 00373   540   NtQueryValueKey  (-2147481964,  (-2147481964, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   540   NtClose  (-2147481964, ... ) == 0x0
 00375   540   NtClose  (-2147481956, ... ) == 0x0
 00365   540   NtQueryDefaultUILanguage  ... ) == 0x0
 00376   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234756, ... ) }, 1234756, ... ) == 0x0
 00378   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00379   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 96, ) == 0x0
 00380   540   NtClose  (88, ... ) == 0x0
 00381   540   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x950000), 0x0, 4096, ) == 0x0
 00382   540   NtClose  (96, ... ) == 0x0
 00383   540   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00384   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234396, ... ) }, 1234396, ... ) == 0x0
 00385   540   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235096,  (0x80100080, {24, 0, 0x40, 0, 1235096, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00386   540   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 96, ... 88, ) == 0x0
 00387   540   NtClose  (96, ... ) == 0x0
 00388   540   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x950000), {0, 0}, 4096, ) == 0x0
 00389   540   NtClose  (88, ... ) == 0x0
 00390   540   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00391   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 88, {status=0x0, info=1}, ) }, 1, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00392   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 88, ... 96, ) == 0x0
 00393   540   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 4096, ) == 0x0
 00394   540   NtQueryInformationFile  (88, 1234716, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00395   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00396   540   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234796, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234796, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1X\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1451, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1X\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 536, 540, 1451, 0}  (24, {128, 156, new_msg, 0, 1234796, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1X\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1451, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1X\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" )  ) == 0x0
 00397   540   NtClose  (88, ... ) == 0x0
 00398   540   NtClose  (96, ... ) == 0x0
 00399   540   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00400   540   NtUnmapViewOfSection  (-1, 0x12de6c, ... ) == STATUS_NOT_MAPPED_VIEW
 00401   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00402   540   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00403   540   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00404   540   NtUserGetDC  (0, ... ) == 0x1010052
 00405   540   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00406   540   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00407   540   NtUserSystemParametersInfo  (66, 12, 1237208, 0, ... ) == 0x1
 00408   540   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00409   540   NtAccessCheck  (1345264, 96, 0x1, 1236612, 1236556, 56, 1236640, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00410   540   NtClose  (96, ... ) == 0x0
 00411   540   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 96, ) }, ... 96, ) == 0x0
 00412   540   NtQueryValueKey  (96,  (96, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00413   540   NtClose  (96, ... ) == 0x0
 00414   540   NtUserSystemParametersInfo  (41, 500, 1236708, 0, ... ) == 0x1
 00415   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 96, ) }, ... 96, ) == 0x0
 00416   540   NtQueryValueKey  (96,  (96, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 88, ) }, ... 88, ) == 0x0
 00418   540   NtQueryValueKey  (88,  (88, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   540   NtClose  (88, ... ) == 0x0
 00420   540   NtClose  (96, ... ) == 0x0
 00421   540   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00422   540   NtUserSystemParametersInfo  (4130, 0, 1237232, 0, ... ) == 0x1
 00423   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 96, ) }, ... 96, ) == 0x0
 00424   540   NtEnumerateValueKey  (96, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00425   540   NtClose  (96, ... ) == 0x0
 00426   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00427   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec03b
 00428   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec03d
 00429   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00430   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec03f
 00431   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00432   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec041
 00433   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00434   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec043
 00435   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec045
 00436   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00437   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec047
 00438   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00439   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec049
 00440   540   NtUserGetClassInfo  (1905590272, 1237128, 1237080, 1237156, 0, ... ) == 0xc049
 00441   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00442   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec04b
 00443   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00444   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec04d
 00445   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00446   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec04f
 00447   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec051
 00448   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00449   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec053
 00450   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00451   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec055
 00452   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec057
 00453   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00454   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec059
 00455   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10013
 00456   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec05b
 00457   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00458   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec05d
 00459   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00460   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec05f
 00461   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00462   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec017
 00463   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00464   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec019
 00465   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10013
 00466   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec018
 00467   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00468   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec01a
 00469   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00470   540   NtUserRegisterClassExWOW  (1236964, 1237044, 1237028, 1237060, 0, 384, 0, ... ) == 0x810ec01c
 00471   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00472   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec01e
 00473   540   NtUserFindExistingCursorIcon  (1236512, 1236528, 1237096, ... ) == 0x10011
 00474   540   NtUserRegisterClassExWOW  (1237024, 1237104, 1237088, 1237120, 0, 384, 0, ...
 00475   540   NtAllocateVirtualMemory  (-1, 6455296, 0, 4096, 4096, 32, ... 6455296, 4096, ) == 0x0
 00474   540   NtUserRegisterClassExWOW  ... ) == 0x810ec01b
 00476   540   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00477   540   NtUserRegisterClassExWOW  (1237020, 1237100, 1237084, 1237116, 0, 384, 0, ... ) == 0x810ec068
 00478   540   NtUserFindExistingCursorIcon  (1236516, 1236532, 1237100, ... ) == 0x10011
 00479   540   NtUserRegisterClassExWOW  (1236968, 1237048, 1237032, 1237064, 0, 384, 0, ... ) == 0x810ec06a
 00480   540   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00481   540   NtQueryValueKey  (96,  (96, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   540   NtQueryValueKey  (96,  (96, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00483   540   NtQueryValueKey  (96,  (96, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00484   540   NtQueryValueKey  (96,  (96, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00485   540   NtQueryValueKey  (96,  (96, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00486   540   NtQueryValueKey  (96,  (96, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00487   540   NtQueryValueKey  (96,  (96, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00488   540   NtQueryValueKey  (96,  (96, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489   540   NtQueryValueKey  (96,  (96, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00490   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239940, ... ) }, 1239940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239940, ... ) }, 1239940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239940, ... ) }, 1239940, ... ) == 0x0
 00494   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00495   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 100, ) == 0x0
 00496   540   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00497   540   NtClose  (88, ... ) == 0x0
 00498   540   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00499   540   NtClose  (100, ... ) == 0x0
 00500   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 100, ) == 0x0
 00501   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00502   540   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 104, ) }, ... 104, ) == 0x0
 00503   540   NtQueryEvent  (104, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00504   540   NtClose  (104, ... ) == 0x0
 00505   540   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241424, 140, ... 104, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241424, 140, ... 104, 0x0, 0x0, 256, 140, ) == 0x0
 00506   540   NtRequestWaitReplyPort  (104, {28, 52, new_msg, 0, 0, 0, 0, 0}  (104, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 536, 540, 1453, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 536, 540, 1453, 0}  (104, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 536, 540, 1453, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00507   540   NtQueryValueKey  (96,  (96, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   540   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 108, ) }, ... 108, ) == 0x0
 00509   540   NtQueryValueKey  (108,  (108, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00510   540   NtClose  (108, ... ) == 0x0
 00511   540   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 108, ) }, ... 108, ) == 0x0
 00512   540   NtQueryValueKey  (108,  (108, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   540   NtClose  (108, ... ) == 0x0
 00514   540   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 108, ) }, ... 108, ) == 0x0
 00515   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 112, ) }, ... 112, ) == 0x0
 00516   540   NtQueryValueKey  (112,  (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00517   540   NtClose  (112, ... ) == 0x0
 00518   540   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 112, ) }, ... 112, ) == 0x0
 00519   540   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 116, ) }, ... 116, ) == 0x0
 00520   540   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 120, ) }, ... 120, ) == 0x0
 00521   540   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 124, ) }, ... 124, ) == 0x0
 00522   540   NtQueryValueKey  (124,  (124, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00523   540   NtQueryValueKey  (124,  (124, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00524   540   NtClose  (124, ... ) == 0x0
 00525   540   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 00526   540   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (124, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00527   540   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (124, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00528   540   NtQueryValueKey  (124,  (124, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (124, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00529   540   NtQueryValueKey  (124,  (124, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (124, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00530   540   NtQueryValueKey  (124,  (124, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (124, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00531   540   NtQueryValueKey  (124,  (124, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (124, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00532   540   NtClose  (124, ... ) == 0x0
 00533   540   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Content"}, ... 124, ) }, ... 124, ) == 0x0
 00534   540   NtQueryValueKey  (124,  (124, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00535   540   NtClose  (124, ... ) == 0x0
 00536   540   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Content"}, ... 124, ) }, ... 124, ) == 0x0
 00537   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 128, ) }, ... 128, ) == 0x0
 00538   540   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00539   540   NtClose  (128, ... ) == 0x0
 00540   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 128, ) }, ... 128, ) == 0x0
 00541   540   NtQueryValueKey  (128,  (128, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00542   540   NtClose  (128, ... ) == 0x0
 00543   540   NtQueryDefaultUILanguage  (1236392, ...
 00544   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00545   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00546   540   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00547   540   NtClose  (-2147481956, ... ) == 0x0
 00548   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00549   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   540   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481964, ) }, ... -2147481964, ) == 0x0
 00551   540   NtQueryValueKey  (-2147481964,  (-2147481964, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   540   NtClose  (-2147481964, ... ) == 0x0
 00553   540   NtClose  (-2147481956, ... ) == 0x0
 00543   540   NtQueryDefaultUILanguage  ... ) == 0x0
 00554   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 128, {status=0x0, info=1}, ) }, 1, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00556   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 132, ) == 0x0
 00557   540   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa00000), 0x0, 8323072, ) == 0x0
 00558   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   540   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00560   540   NtQueryDefaultLocale  (1, 1234428, ... ) == 0x0
 00561   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   540   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235284, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235284, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\327\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1454, 0} " S\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\327\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 536, 540, 1454, 0}  (24, {128, 156, new_msg, 0, 1235284, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\327\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1454, 0} " S\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\327\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\340\22\0\0\0\0\0" )  ) == 0x0
 00563   540   NtClose  (128, ... ) == 0x0
 00564   540   NtClose  (132, ... ) == 0x0
 00565   540   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00566   540   NtUnmapViewOfSection  (-1, 0x12e054, ... ) == STATUS_NOT_MAPPED_VIEW
 00567   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00568   540   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00569   540   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00571   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00572   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233512, ... ) }, 1233512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00574   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00575   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00576   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1234104, ... ) }, 1234104, ... ) == 0x0
 00577   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 132, {status=0x0, info=1}, ) }, 3, 33, ... 132, {status=0x0, info=1}, ) == 0x0
 00578   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00579   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 128, ) }, ... 128, ) == 0x0
 00580   540   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00581   540   NtClose  (128, ... ) == 0x0
 00582   540   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {536, 0}, ... 128, ) == 0x0
 00583   540   NtQueryInformationProcess  (128, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00584   540   NtClose  (128, ... ) == 0x0
 00585   540   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00586   540   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00587   540   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00588   540   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 128, ) }, ... 128, ) == 0x0
 00589   540   NtQueryValueKey  (128,  (128, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   540   NtClose  (128, ... ) == 0x0
 00591   540   NtUserSystemParametersInfo  (41, 500, 1235968, 0, ... ) == 0x1
 00592   540   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00593   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00594   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00595   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec03b
 00596   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00597   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec03d
 00598   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00599   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00600   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec03f
 00601   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00602   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00603   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec041
 00604   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00605   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00606   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec043
 00607   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00608   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec045
 00609   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00610   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00611   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec047
 00612   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00613   540   NtUserFindExistingCursorIcon  (1235756, 1235772, 1236340, ... ) == 0x10011
 00614   540   NtUserRegisterClassExWOW  (1236208, 1236288, 1236272, 1236304, 0, 384, 0, ... ) == 0x810ec049
 00615   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00616   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00617   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec04b
 00618   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00619   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00620   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec04d
 00621   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00622   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00623   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec04f
 00624   540   NtUserGetClassInfo  (1999896576, 1236380, 1236332, 1236408, 0, ... ) == 0x0
 00625   540   NtUserRegisterClassExWOW  (1236216, 1236296, 1236280, 1236312, 0, 384, 0, ... ) == 0x810ec051
 00626   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00627   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00628   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec053
 00629   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00630   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00631   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec055
 00632   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec057
 00633   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00634   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00635   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec059
 00636   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00637   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10013
 00638   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec05b
 00639   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00640   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00641   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec05d
 00642   540   NtUserGetClassInfo  (1999896576, 1236376, 1236328, 1236404, 0, ... ) == 0x0
 00643   540   NtUserFindExistingCursorIcon  (1235760, 1235776, 1236344, ... ) == 0x10011
 00644   540   NtUserRegisterClassExWOW  (1236212, 1236292, 1236276, 1236308, 0, 384, 0, ... ) == 0x810ec05f
 00645   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc03b
 00646   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc03d
 00647   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc03f
 00648   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc041
 00649   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc043
 00650   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc045
 00651   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc047
 00652   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc049
 00653   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc04b
 00654   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc04d
 00655   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc04f
 00656   540   NtUserGetClassInfo  (1999896576, 1238132, 1238084, 1238160, 0, ... ) == 0xc051
 00657   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc053
 00658   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc055
 00659   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc059
 00660   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc05b
 00661   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc05d
 00662   540   NtUserGetClassInfo  (1999896576, 1238128, 1238080, 1238156, 0, ... ) == 0xc05f
 00663   540   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00664   540   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1355936, 0,  (0x1f0003, {24, 72, 0x80, 1355936, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 128, ) }, 0, 2147483647, ... 128, ) == STATUS_OBJECT_NAME_EXISTS
 00665   540   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00666   540   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00667   540   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00668   540   NtQueryValueKey  (136,  (136, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00669   540   NtClose  (136, ... ) == 0x0
 00670   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 00671   540   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00672   540   NtSetValueKey  (136,  (136, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (136, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 00673   540   NtClose  (136, ... ) == 0x0
 00674   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239984, ... ) }, 1239984, ... ) == 0x0
 00675   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239716, ... ) }, 1239716, ... ) == 0x0
 00676   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0
 00677   540   NtSetInformationFile  (136, 1239692, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00678   540   NtClose  (136, ... ) == 0x0
 00679   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239716, ... ) }, 1239716, ... ) == 0x0
 00680   540   NtQueryValueKey  (124,  (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00681   540   NtQueryValueKey  (124,  (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00682   540   NtQueryValueKey  (124,  (124, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 00683   540   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00684   540   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "Paths"}, ... 140, ) }, ... 140, ) == 0x0
 00685   540   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Path1"}, ... 144, ) }, ... 144, ) == 0x0
 00686   540   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Path2"}, ... 148, ) }, ... 148, ) == 0x0
 00687   540   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Path3"}, ... 152, ) }, ... 152, ) == 0x0
 00688   540   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Path4"}, ... 156, ) }, ... 156, ) == 0x0
 00689   540   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "Special Paths"}, ... 160, ) }, ... 160, ) == 0x0
 00690   540   NtSetValueKey  (140,  (140, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (140, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 00691   540   NtSetValueKey  (140,  (140, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (140, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00692   540   NtSetValueKey  (144,  (144, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (144, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00693   540   NtSetValueKey  (148,  (148, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (148, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00694   540   NtSetValueKey  (152,  (152, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (152, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00695   540   NtSetValueKey  (156,  (156, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (156, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00696   540   NtSetValueKey  (144,  (144, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (144, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00697   540   NtSetValueKey  (148,  (148, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (148, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00698   540   NtSetValueKey  (152,  (152, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (152, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00699   540   NtSetValueKey  (156,  (156, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (156, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00700   540   NtClose  (156, ... ) == 0x0
 00701   540   NtClose  (152, ... ) == 0x0
 00702   540   NtClose  (148, ... ) == 0x0
 00703   540   NtClose  (144, ... ) == 0x0
 00704   540   NtClose  (140, ... ) == 0x0
 00705   540   NtClose  (160, ... ) == 0x0
 00706   540   NtClose  (136, ... ) == 0x0
 00707   540   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Cookies"}, ... 136, ) }, ... 136, ) == 0x0
 00708   540   NtQueryValueKey  (136,  (136, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00709   540   NtClose  (136, ... ) == 0x0
 00710   540   NtClose  (124, ... ) == 0x0
 00711   540   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Cookies"}, ... 124, ) }, ... 124, ) == 0x0
 00712   540   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00713   540   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00714   540   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00715   540   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00716   540   NtQueryValueKey  (136,  (136, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00717   540   NtClose  (136, ... ) == 0x0
 00718   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 00719   540   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00720   540   NtSetValueKey  (136,  (136, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (136, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 00721   540   NtClose  (136, ... ) == 0x0
 00722   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1239984, ... ) }, 1239984, ... ) == 0x0
 00723   540   NtQueryValueKey  (124,  (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00724   540   NtQueryValueKey  (124,  (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00725   540   NtQueryValueKey  (124,  (124, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00726   540   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "History"}, ... 136, ) }, ... 136, ) == 0x0
 00727   540   NtQueryValueKey  (136,  (136, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00728   540   NtClose  (136, ... ) == 0x0
 00729   540   NtClose  (124, ... ) == 0x0
 00730   540   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "History"}, ... 124, ) }, ... 124, ) == 0x0
 00731   540   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00732   540   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00733   540   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00734   540   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00735   540   NtQueryValueKey  (136,  (136, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00736   540   NtClose  (136, ... ) == 0x0
 00737   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 00738   540   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00739   540   NtSetValueKey  (136,  (136, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (136, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 00740   540   NtClose  (136, ... ) == 0x0
 00741   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239984, ... ) }, 1239984, ... ) == 0x0
 00742   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239716, ... ) }, 1239716, ... ) == 0x0
 00743   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0
 00744   540   NtSetInformationFile  (136, 1239692, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00745   540   NtClose  (136, ... ) == 0x0
 00746   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239716, ... ) }, 1239716, ... ) == 0x0
 00747   540   NtQueryValueKey  (124,  (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00748   540   NtQueryValueKey  (124,  (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00749   540   NtQueryValueKey  (124,  (124, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00750   540   NtClose  (124, ... ) == 0x0
 00751   540   NtClose  (120, ... ) == 0x0
 00752   540   NtClose  (112, ... ) == 0x0
 00753   540   NtClose  (116, ... ) == 0x0
 00754   540   NtClose  (108, ... ) == 0x0
 00755   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 108, ) }, ... 108, ) == 0x0
 00756   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00757   540   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 1355936, 0,  (0x1f0001, {24, 72, 0x80, 1355936, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, 0, ... 116, ) }, 0, ... 116, ) == 0x0
 00758   540   NtWaitForSingleObject  (116, 0, 0x0, ... ) == 0x0
 00759   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 112, {status=0x0, info=1}, ) }, 3, 8388641, ... 112, {status=0x0, info=1}, ) == 0x0
 00760   540   NtQueryVolumeInformationFile  (112, 1241236, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00761   540   NtClose  (112, ... ) == 0x0
 00762   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 112, {status=0x0, info=1}, ) }, 3, 8388641, ... 112, {status=0x0, info=1}, ) == 0x0
 00763   540   NtQueryVolumeInformationFile  (112, 1241260, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00764   540   NtClose  (112, ... ) == 0x0
 00765   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241588, ... ) }, 1241588, ... ) == 0x0
 00766   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 112, {status=0x0, info=1}, ) }, 7, 2113568, ... 112, {status=0x0, info=1}, ) == 0x0
 00767   540   NtSetInformationFile  (112, 1241564, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00768   540   NtClose  (112, ... ) == 0x0
 00769   540   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1355936, 1241580,  (0xc0100080, {24, 0, 0x40, 1355936, 1241580, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00770   540   NtSetInformationFile  (112, 1241632, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00771   540   NtQueryInformationFile  (112, 1241632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00772   540   NtClose  (112, ... ) == 0x0
 00773   540   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1355936, 1241564,  (0xc0100080, {24, 0, 0x40, 1355936, 1241564, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00774   540   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00775   540   NtCreateSection  (0xf0007, {24, 72, 0x80, 1355936, 0,  (0xf0007, {24, 72, 0x80, 1355936, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, 0x0, 4, 134217728, 112, ... 120, ) }, 0x0, 4, 134217728, 112, ... 120, ) == 0x0
 00776   540   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x970000), {0, 0}, 32768, ) == 0x0
 00777   540   NtWaitForSingleObject  (116, 0, 0x0, ... ) == 0x0
 00778   540   NtQueryInformationFile  (112, 1241596, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00779   540   NtReleaseMutant  (116, ... 0x0, ) == 0x0
 00780   540   NtReleaseMutant  (116, ... 0x0, ) == 0x0
 00781   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   540   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 1355936, 0,  (0x1f0001, {24, 72, 0x80, 1355936, 0, "c:!documents and settings!sri-user!cookies!"}, 0, ... 124, ) }, 0, ... 124, ) == 0x0
 00783   540   NtWaitForSingleObject  (124, 0, 0x0, ... ) == 0x0
 00784   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 136, {status=0x0, info=1}, ) }, 3, 8388641, ... 136, {status=0x0, info=1}, ) == 0x0
 00785   540   NtQueryVolumeInformationFile  (136, 1241236, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00786   540   NtClose  (136, ... ) == 0x0
 00787   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 136, {status=0x0, info=1}, ) }, 3, 8388641, ... 136, {status=0x0, info=1}, ) == 0x0
 00788   540   NtQueryVolumeInformationFile  (136, 1241260, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00789   540   NtClose  (136, ... ) == 0x0
 00790   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241588, ... ) }, 1241588, ... ) == 0x0
 00791   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0
 00792   540   NtSetInformationFile  (136, 1241564, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00793   540   NtClose  (136, ... ) == 0x0
 00794   540   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1355936, 1241580,  (0xc0100080, {24, 0, 0x40, 1355936, 1241580, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 00795   540   NtSetInformationFile  (136, 1241632, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00796   540   NtQueryInformationFile  (136, 1241632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00797   540   NtClose  (136, ... ) == 0x0
 00798   540   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1355936, 1241564,  (0xc0100080, {24, 0, 0x40, 1355936, 1241564, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 00799   540   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   540   NtCreateSection  (0xf0007, {24, 72, 0x80, 1355936, 0,  (0xf0007, {24, 72, 0x80, 1355936, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, 0x0, 4, 134217728, 136, ... 160, ) }, 0x0, 4, 134217728, 136, ... 160, ) == 0x0
 00801   540   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x980000), {0, 0}, 16384, ) == 0x0
 00802   540   NtReleaseMutant  (124, ... 0x0, ) == 0x0
 00803   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   540   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 1355936, 0,  (0x1f0001, {24, 72, 0x80, 1355936, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, 0, ... 140, ) }, 0, ... 140, ) == 0x0
 00805   540   NtWaitForSingleObject  (140, 0, 0x0, ... ) == 0x0
 00806   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 144, {status=0x0, info=1}, ) }, 3, 8388641, ... 144, {status=0x0, info=1}, ) == 0x0
 00807   540   NtQueryVolumeInformationFile  (144, 1241236, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00808   540   NtClose  (144, ... ) == 0x0
 00809   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 144, {status=0x0, info=1}, ) }, 3, 8388641, ... 144, {status=0x0, info=1}, ) == 0x0
 00810   540   NtQueryVolumeInformationFile  (144, 1241260, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00811   540   NtClose  (144, ... ) == 0x0
 00812   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241588, ... ) }, 1241588, ... ) == 0x0
 00813   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 144, {status=0x0, info=1}, ) }, 7, 2113568, ... 144, {status=0x0, info=1}, ) == 0x0
 00814   540   NtSetInformationFile  (144, 1241564, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00815   540   NtClose  (144, ... ) == 0x0
 00816   540   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1355936, 1241580,  (0xc0100080, {24, 0, 0x40, 1355936, 1241580, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00817   540   NtSetInformationFile  (144, 1241632, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00818   540   NtQueryInformationFile  (144, 1241632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00819   540   NtClose  (144, ... ) == 0x0
 00820   540   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1355936, 1241564,  (0xc0100080, {24, 0, 0x40, 1355936, 1241564, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00821   540   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   540   NtCreateSection  (0xf0007, {24, 72, 0x80, 1355936, 0,  (0xf0007, {24, 72, 0x80, 1355936, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, 0x0, 4, 134217728, 144, ... 148, ) }, 0x0, 4, 134217728, 144, ... 148, ) == 0x0
 00823   540   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 32768, ) == 0x0
 00824   540   NtReleaseMutant  (140, ... 0x0, ) == 0x0
 00825   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241644, ... ) }, 1241644, ... ) == 0x0
 00826   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 00827   540   NtSetInformationFile  (152, 1241620, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00828   540   NtClose  (152, ... ) == 0x0
 00829   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241644, ... ) }, 1241644, ... ) == 0x0
 00830   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241644, ... ) }, 1241644, ... ) == 0x0
 00831   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 00832   540   NtSetInformationFile  (152, 1241620, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00833   540   NtClose  (152, ... ) == 0x0
 00834   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241644, ... ) }, 1241644, ... ) == 0x0
 00835   540   NtWaitForSingleObject  (116, 0, 0x0, ... ) == 0x0
 00836   540   NtQueryInformationFile  (112, 1240028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00837   540   NtReleaseMutant  (116, ... 0x0, ) == 0x0
 00838   540   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 152, ) }, ... 152, ) == 0x0
 00839   540   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Extensible Cache"}, ... 156, ) }, ... 156, ) == 0x0
 00840   540   NtClose  (152, ... ) == 0x0
 00841   540   NtWaitForSingleObject  (108, 0, {-600000000, -1}, ... ) == 0x0
 00842   540   NtEnumerateKey  (156, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (156, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 00843   540   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "MSHist012007051420070521"}, ... 152, ) }, ... 152, ) == 0x0
 00844   540   NtQueryValueKey  (152,  (152, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00846   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00847   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00848   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00849   540   NtQueryValueKey  (152,  (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00850   540   NtQueryValueKey  (152,  (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00851   540   NtQueryValueKey  (152,  (152, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00852   540   NtQueryValueKey  (152,  (152, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00853   540   NtClose  (152, ... ) == 0x0
 00854   540   NtEnumerateKey  (156, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (156, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 00855   540   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "MSHist012007052120070528"}, ... 152, ) }, ... 152, ) == 0x0
 00856   540   NtQueryValueKey  (152,  (152, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00857   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00858   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00859   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00860   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00861   540   NtQueryValueKey  (152,  (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00862   540   NtQueryValueKey  (152,  (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00863   540   NtQueryValueKey  (152,  (152, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00864   540   NtQueryValueKey  (152,  (152, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00865   540   NtClose  (152, ... ) == 0x0
 00866   540   NtEnumerateKey  (156, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (156, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 00867   540   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "MSHist012007053120070601"}, ... 152, ) }, ... 152, ) == 0x0
 00868   540   NtQueryValueKey  (152,  (152, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00869   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00870   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00871   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00872   540   NtQueryValueKey  (152,  (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (152, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00873   540   NtQueryValueKey  (152,  (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00874   540   NtQueryValueKey  (152,  (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00875   540   NtQueryValueKey  (152,  (152, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00876   540   NtQueryValueKey  (152,  (152, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00877   540   NtClose  (152, ... ) == 0x0
 00878   540   NtEnumerateKey  (156, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00879   540   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 00880   540   NtClose  (156, ... ) == 0x0
 00881   540   NtWaitForSingleObject  (116, 0, 0x0, ... ) == 0x0
 00882   540   NtQueryInformationFile  (112, 1241956, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00883   540   NtReleaseMutant  (116, ... 0x0, ) == 0x0
 00884   540   NtWaitForSingleObject  (116, 0, 0x0, ... ) == 0x0
 00885   540   NtQueryInformationFile  (112, 1242028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00886   540   NtReleaseMutant  (116, ... 0x0, ) == 0x0
 00887   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   540   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00893   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 156, ) }, ... 156, ) == 0x0
 00894   540   NtQueryValueKey  (156,  (156, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   540   NtClose  (156, ... ) == 0x0
 00896   540   NtQueryValueKey  (96,  (96, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   540   NtQueryValueKey  (96,  (96, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   540   NtQueryValueKey  (96,  (96, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   540   NtQueryValueKey  (96,  (96, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   540   NtQueryValueKey  (96,  (96, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   540   NtQueryValueKey  (96,  (96, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   540   NtQueryValueKey  (96,  (96, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   540   NtQueryValueKey  (96,  (96, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   540   NtQueryValueKey  (96,  (96, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   540   NtQueryValueKey  (96,  (96, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   540   NtQueryValueKey  (96,  (96, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   540   NtQueryValueKey  (96,  (96, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   540   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 156, ) }, ... 156, ) == 0x0
 00909   540   NtQueryValueKey  (156,  (156, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   540   NtClose  (156, ... ) == 0x0
 00911   540   NtQueryValueKey  (96,  (96, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   540   NtQueryValueKey  (96,  (96, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   540   NtQueryValueKey  (96,  (96, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   540   NtQueryValueKey  (96,  (96, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   540   NtQueryValueKey  (96,  (96, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   540   NtQueryValueKey  (96,  (96, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   540   NtQueryValueKey  (96,  (96, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   540   NtQueryValueKey  (96,  (96, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   540   NtQueryValueKey  (96,  (96, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 156, ) }, ... 156, ) == 0x0
 00921   540   NtQueryValueKey  (156,  (156, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   540   NtClose  (156, ... ) == 0x0
 00923   540   NtQueryValueKey  (96,  (96, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   540   NtQueryValueKey  (96,  (96, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   540   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00926   540   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00927   540   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00928   540   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00929   540   NtQueryValueKey  (96,  (96, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   540   NtQueryValueKey  (96,  (96, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   540   NtQueryValueKey  (96,  (96, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   540   NtQueryValueKey  (96,  (96, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   540   NtQueryValueKey  (96,  (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00934   540   NtQueryValueKey  (96,  (96, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   540   NtQueryValueKey  (96,  (96, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   540   NtQueryValueKey  (96,  (96, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   540   NtQueryValueKey  (96,  (96, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   540   NtQueryValueKey  (96,  (96, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   540   NtQueryValueKey  (96,  (96, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "WininetStartupMutex"}, ... 156, ) }, ... 156, ) == 0x0
 00941   540   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 152, ) == 0x0
 00942   540   NtQueryValueKey  (96,  (96, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   540   NtWaitForSingleObject  (116, 0, 0x0, ... ) == 0x0
 00944   540   NtQueryInformationFile  (112, 1242004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00945   540   NtReleaseMutant  (116, ... 0x0, ) == 0x0
 00946   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "WininetConnectionMutex"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   540   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 1355936, 0,  (0x1f0001, {24, 72, 0x80, 1355936, 0, "WininetConnectionMutex"}, 0, ... 164, ) }, 0, ... 164, ) == 0x0
 00948   540   NtCreateMutant  (0x1f0001, 0x0, 0, ... 168, ) == 0x0
 00949   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 172, ) }, ... 172, ) == 0x0
 00950   540   NtQueryValueKey  (96,  (96, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00951   540   NtQueryValueKey  (96,  (96, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00952   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 176, ) }, ... 176, ) == 0x0
 00953   540   NtQueryValueKey  (176,  (176, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00954   540   NtQueryValueKey  (176,  (176, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00955   540   NtClose  (176, ... ) == 0x0
 00956   540   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 176, ) == 0x0
 00957   540   NtWaitForSingleObject  (176, 0, 0x0, ... ) == 0x0
 00958   540   NtClearEvent  (176, ... ) == 0x0
 00959   540   NtSetEvent  (176, ... 0x0, ) == 0x0
 00960   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1239936, ... ) }, 1239936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1239936, ... ) }, 1239936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1239936, ... ) }, 1239936, ... ) == 0x0
 00964   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 00965   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 00966   540   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00967   540   NtClose  (180, ... ) == 0x0
 00968   540   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00969   540   NtClose  (184, ... ) == 0x0
 00970   540   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 00971   540   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00972   540   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00973   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 00974   540   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 188, ) }, ... 188, ) == 0x0
 00975   540   NtQueryValueKey  (188,  (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00976   540   NtNotifyChangeKey  (188, 180, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00977   540   NtQueryValueKey  (188,  (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00978   540   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   540   NtQueryValueKey  (188,  (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00980   540   NtQueryValueKey  (188,  (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00981   540   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "Catalog_Entries"}, ... 192, ) }, ... 192, ) == 0x0
 00982   540   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00983   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000001"}, ... 196, ) }, ... 196, ) == 0x0
 00984   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00985   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00986   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\333\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\334\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\333\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\334\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\333\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\333\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\334\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00987   540   NtClose  (196, ... ) == 0x0
 00988   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000002"}, ... 196, ) }, ... 196, ) == 0x0
 00989   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00990   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00991   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\340\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\340\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\341\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\340\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\340\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\341\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\340\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\340\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\341\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00992   540   NtClose  (196, ... ) == 0x0
 00993   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000003"}, ... 196, ) }, ... 196, ) == 0x0
 00994   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00995   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00996   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\345\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\346\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\345\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\346\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\345\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\346\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00997   540   NtClose  (196, ... ) == 0x0
 00998   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000004"}, ... 196, ) }, ... 196, ) == 0x0
 00999   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01000   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01001   540   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01002   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\353\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\353\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\354\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\353\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\353\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\354\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\353\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\353\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\354\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\354\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\355\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\356\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01003   540   NtClose  (196, ... ) == 0x0
 01004   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000005"}, ... 196, ) }, ... 196, ) == 0x0
 01005   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01006   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01007   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\360\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\360\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\361\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\360\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\360\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\361\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\360\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\360\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\361\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01008   540   NtClose  (196, ... ) == 0x0
 01009   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000006"}, ... 196, ) }, ... 196, ) == 0x0
 01010   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01012   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\365\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\365\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\366\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\365\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\365\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\366\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\365\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\365\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\366\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01013   540   NtClose  (196, ... ) == 0x0
 01014   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000007"}, ... 196, ) }, ... 196, ) == 0x0
 01015   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01016   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01017   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\372\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\372\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\373\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\372\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\372\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\373\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\372\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\372\3\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\373\3\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01018   540   NtClose  (196, ... ) == 0x0
 01019   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000008"}, ... 196, ) }, ... 196, ) == 0x0
 01020   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01021   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01022   540   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01023   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\0\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\0\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\1\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\0\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\0\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\1\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\0\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\0\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\1\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01024   540   NtClose  (196, ... ) == 0x0
 01025   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000009"}, ... 196, ) }, ... 196, ) == 0x0
 01026   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01027   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01028   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\5\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\5\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\6\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\5\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\5\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\6\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\5\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\5\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\6\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01029   540   NtClose  (196, ... ) == 0x0
 01030   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000010"}, ... 196, ) }, ... 196, ) == 0x0
 01031   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01032   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01033   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\12\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\12\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\13\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\12\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\12\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\13\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\12\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\12\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0P\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\13\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\4\0\0\30\2\0\0\34\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01034   540   NtClose  (196, ... ) == 0x0
 01035   540   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000011"}, ... 196, ) }, ... 196, ) == 0x0
 01036   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01037   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01038   540   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\17\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\17\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\20\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\4\0\0\30\2\0\0\34\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\21\4\0\0\30\2\0\0\34\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\22\4\0\0\30\2\0\0\34\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\22\4\0\0\30\2\0\0\34\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\23\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0l\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300\314\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\17\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\17\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\20\4\0\0\30\2\0\0\34\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\4\0\0\30\2\0\0\34\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\21\4\0\0\30\2\0\0\34\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\22\4\0\0\30\2\0\0\34\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\22\4\0\0\30\2\0\0\34\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\23\4\0\0\30\2\0\0\34\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0l\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300\314\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01039   540   NtClose  (196, ... ) == 0x0
 01040   540   NtClose  (192, ... ) == 0x0
 01041   540   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x102
 01042   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01043   540   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 196, ) }, ... 196, ) == 0x0
 01044   540   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01045   540   NtNotifyChangeKey  (196, 192, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01046   540   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01047   540   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   540   NtQueryValueKey  (196,  (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01049   540   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "Catalog_Entries"}, ... 200, ) }, ... 200, ) == 0x0
 01050   540   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000001"}, ... 204, ) }, ... 204, ) == 0x0
 01051   540   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01052   540   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01053   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01054   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01055   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01056   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01057   540   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01058   540   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   540   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01060   540   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01061   540   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01062   540   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01063   540   NtClose  (204, ... ) == 0x0
 01064   540   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01065   540   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000002"}, ... 204, ) }, ... 204, ) == 0x0
 01066   540   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01067   540   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01068   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01069   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01070   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01071   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01072   540   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01073   540   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   540   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01075   540   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01076   540   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01077   540   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01078   540   NtClose  (204, ... ) == 0x0
 01079   540   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000003"}, ... 204, ) }, ... 204, ) == 0x0
 01080   540   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01081   540   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01082   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01083   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01084   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01085   540   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01086   540   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01087   540   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   540   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01089   540   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01090   540   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01091   540   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01092   540   NtClose  (204, ... ) == 0x0
 01093   540   NtClose  (200, ... ) == 0x0
 01094   540   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 01095   540   NtClose  (184, ... ) == 0x0
 01096   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01097   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01098   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01099   540   NtQueryValueKey  (184,  (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   540   NtClose  (184, ... ) == 0x0
 01101   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 01102   540   NtClearEvent  (152, ... ) == 0x0
 01103   540   NtSetEvent  (152, ... 0x0, ) == 0x0
 01104   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240468, ... ) }, 1240468, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1240468, ... ) }, 1240468, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1240468, ... ) }, 1240468, ... ) == 0x0
 01108   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01109   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01110   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01111   540   NtClose  (200, ... ) == 0x0
 01112   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01113   540   NtClose  (204, ... ) == 0x0
 01114   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240932, ... ) }, 1240932, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01116   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1240932, ... ) }, 1240932, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240932, ... ) }, 1240932, ... ) == 0x0
 01118   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01119   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01120   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01121   540   NtClose  (204, ... ) == 0x0
 01122   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01123   540   NtClose  (200, ... ) == 0x0
 01124   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1240128, ... ) }, 1240128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1240128, ... ) }, 1240128, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1240128, ... ) }, 1240128, ... ) == 0x0
 01128   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01129   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01130   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01131   540   NtClose  (200, ... ) == 0x0
 01132   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01133   540   NtClose  (204, ... ) == 0x0
 01134   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239324, ... ) }, 1239324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239324, ... ) }, 1239324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239324, ... ) }, 1239324, ... ) == 0x0
 01138   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01139   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01140   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01141   540   NtClose  (204, ... ) == 0x0
 01142   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01143   540   NtClose  (200, ... ) == 0x0
 01144   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01148   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01149   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01150   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01151   540   NtClose  (200, ... ) == 0x0
 01152   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01153   540   NtClose  (204, ... ) == 0x0
 01154   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01158   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01159   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01160   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01161   540   NtClose  (204, ... ) == 0x0
 01162   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01163   540   NtClose  (200, ... ) == 0x0
 01164   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236912, ... ) }, 1236912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236912, ... ) }, 1236912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236912, ... ) }, 1236912, ... ) == 0x0
 01168   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01169   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01170   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01171   540   NtClose  (200, ... ) == 0x0
 01172   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01173   540   NtClose  (204, ... ) == 0x0
 01174   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 204, ) }, ... 204, ) == 0x0
 01175   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01176   540   NtClose  (204, ... ) == 0x0
 01177   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01181   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01182   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01183   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01184   540   NtClose  (204, ... ) == 0x0
 01185   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01186   540   NtClose  (200, ... ) == 0x0
 01187   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01191   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01192   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01193   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01194   540   NtClose  (200, ... ) == 0x0
 01195   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01196   540   NtClose  (204, ... ) == 0x0
 01197   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01201   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01202   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01203   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01204   540   NtClose  (204, ... ) == 0x0
 01205   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01206   540   NtClose  (200, ... ) == 0x0
 01207   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01211   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01212   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01213   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01214   540   NtClose  (200, ... ) == 0x0
 01215   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01216   540   NtClose  (204, ... ) == 0x0
 01217   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01218   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239324, ... ) }, 1239324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239324, ... ) }, 1239324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239324, ... ) }, 1239324, ... ) == 0x0
 01221   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01222   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01223   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01224   540   NtClose  (204, ... ) == 0x0
 01225   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01226   540   NtClose  (200, ... ) == 0x0
 01227   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01231   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01232   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01233   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01234   540   NtClose  (200, ... ) == 0x0
 01235   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01236   540   NtClose  (204, ... ) == 0x0
 01237   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01238   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01241   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01242   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01243   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01244   540   NtClose  (204, ... ) == 0x0
 01245   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01246   540   NtClose  (200, ... ) == 0x0
 01247   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01251   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01252   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01253   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01254   540   NtClose  (200, ... ) == 0x0
 01255   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01256   540   NtClose  (204, ... ) == 0x0
 01257   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239324, ... ) }, 1239324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239324, ... ) }, 1239324, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239324, ... ) }, 1239324, ... ) == 0x0
 01261   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01262   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01263   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01264   540   NtClose  (204, ... ) == 0x0
 01265   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01266   540   NtClose  (200, ... ) == 0x0
 01267   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01268   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01271   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01272   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01273   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01274   540   NtClose  (200, ... ) == 0x0
 01275   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01276   540   NtClose  (204, ... ) == 0x0
 01277   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01281   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01282   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01283   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01284   540   NtClose  (204, ... ) == 0x0
 01285   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01286   540   NtClose  (200, ... ) == 0x0
 01287   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01288   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01291   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01292   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01293   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01294   540   NtClose  (200, ... ) == 0x0
 01295   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01296   540   NtClose  (204, ... ) == 0x0
 01297   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238520, ... ) }, 1238520, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238520, ... ) }, 1238520, ... ) == 0x0
 01301   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01302   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01303   540   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01304   540   NtClose  (204, ... ) == 0x0
 01305   540   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01306   540   NtClose  (200, ... ) == 0x0
 01307   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237716, ... ) }, 1237716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237716, ... ) }, 1237716, ... ) == 0x0
 01311   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01312   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01313   540   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01314   540   NtClose  (200, ... ) == 0x0
 01315   540   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01316   540   NtClose  (204, ... ) == 0x0
 01317   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 01318   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 200, ) }, ... 200, ) == 0x0
 01319   540   NtQueryValueKey  (200,  (200, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01320   540   NtClose  (200, ... ) == 0x0
 01321   540   NtQueryDefaultLocale  (1, 1241576, ... ) == 0x0
 01322   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01323   540   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10092544, 262144, ) == 0x0
 01324   540   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 01325   540   NtAllocateVirtualMemory  (-1, 10096640, 0, 8192, 4096, 4, ... 10096640, 8192, ) == 0x0
 01326   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01327   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01328   540   NtQueryDefaultLocale  (1, 1241536, ... ) == 0x0
 01329   540   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01330   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01331   540   NtQueryValueKey  (200,  (200, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01332   540   NtClose  (200, ... ) == 0x0
 01333   540   NtUserGetProcessWindowStation  (... ) == 0x28
 01334   540   NtUserGetObjectInformation  (40, 1, 1241208, 12, 1241220, ... ) == 0x1
 01335   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 200, ) }, ... 200, ) == 0x0
 01336   540   NtQueryValueKey  (200,  (200, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01337   540   NtClose  (200, ... ) == 0x0
 01338   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01339   540   NtQueryValueKey  (200,  (200, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01340   540   NtQueryValueKey  (200,  (200, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01341   540   NtClose  (200, ... ) == 0x0
 01342   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01343   540   NtQueryValueKey  (200,  (200, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01344   540   NtQueryValueKey  (200,  (200, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01345   540   NtClose  (200, ... ) == 0x0
 01346   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01347   540   NtQueryValueKey  (200,  (200, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01348   540   NtQueryValueKey  (200,  (200, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01349   540   NtClose  (200, ... ) == 0x0
 01350   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01351   540   NtQueryValueKey  (200,  (200, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01352   540   NtQueryValueKey  (200,  (200, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (200, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01353   540   NtClose  (200, ... ) == 0x0
 01354   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01355   540   NtQueryValueKey  (200,  (200, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (200, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01356   540   NtQueryValueKey  (200,  (200, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (200, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01357   540   NtClose  (200, ... ) == 0x0
 01358   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 200, ) }, ... 200, ) == 0x0
 01359   540   NtQueryValueKey  (200,  (200, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (200, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01360   540   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01361   540   NtClose  (200, ... ) == 0x0
 01362   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01363   540   NtCreateMutant  (0x1f0001, 0x0, 0, ... 208, ) == 0x0
 01364   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 01365   540   NtCreateMutant  (0x1f0001, 0x0, 0, ... 216, ) == 0x0
 01366   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 01367   540   NtCreateMutant  (0x1f0001, 0x0, 0, ... 224, ) == 0x0
 01368   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01369   540   NtQueryValueKey  (228,  (228, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   540   NtQueryValueKey  (228,  (228, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   540   NtOpenKey  (0x1, {24, 228, 0x40, 0, 0,  (0x1, {24, 228, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   540   NtClose  (228, ... ) == 0x0
 01373   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1241128, ... ) }, 1241128, ... ) == 0x0
 01374   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 228, ) }, ... 228, ) == 0x0
 01375   540   NtQueryValueKey  (228,  (228, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (228, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (228, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01376   540   NtClose  (228, ... ) == 0x0
 01377   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01378   540   NtQueryValueKey  (228,  (228, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (228, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (228, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01379   540   NtClose  (228, ... ) == 0x0
 01380   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01382   540   NtQueryValueKey  (228,  (228, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (228, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (228, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01383   540   NtClose  (228, ... ) == 0x0
 01384   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01385   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 232, ) == 0x0
 01386   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01387   540   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 240, ) }, ... 240, ) == 0x0
 01388   540   NtQueryValueKey  (240,  (240, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   540   NtQueryValueKey  (240,  (240, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   540   NtQueryValueKey  (240,  (240, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   540   NtQueryValueKey  (240,  (240, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   540   NtQueryValueKey  (240,  (240, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   540   NtQueryValueKey  (240,  (240, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   540   NtQueryValueKey  (240,  (240, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   540   NtQueryValueKey  (240,  (240, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   540   NtQueryValueKey  (240,  (240, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   540   NtQueryValueKey  (240,  (240, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   540   NtQueryValueKey  (240,  (240, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399   540   NtQueryValueKey  (240,  (240, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01400   540   NtQueryValueKey  (240,  (240, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   540   NtQueryValueKey  (240,  (240, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   540   NtQueryValueKey  (240,  (240, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   540   NtQueryValueKey  (240,  (240, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   540   NtQueryValueKey  (240,  (240, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   540   NtQueryValueKey  (240,  (240, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   540   NtQueryValueKey  (240,  (240, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   540   NtQueryValueKey  (240,  (240, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   540   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01409   540   NtQueryValueKey  (240,  (240, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   540   NtQueryValueKey  (240,  (240, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   540   NtQueryValueKey  (240,  (240, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   540   NtQueryValueKey  (240,  (240, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   540   NtQueryValueKey  (240,  (240, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   540   NtQueryValueKey  (240,  (240, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   540   NtQueryValueKey  (240,  (240, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   540   NtQueryValueKey  (240,  (240, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   540   NtQueryValueKey  (240,  (240, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   540   NtQueryValueKey  (240,  (240, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   540   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01420   540   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 244, ) }, ... 244, ) == 0x0
 01421   540   NtQueryValueKey  (244,  (244, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   540   NtClose  (244, ... ) == 0x0
 01423   540   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 0, 0,  (0x1f0003, {24, 72, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01424   540   NtQueryValueKey  (240,  (240, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   540   NtQueryValueKey  (240,  (240, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   540   NtQueryValueKey  (240,  (240, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   540   NtQueryValueKey  (240,  (240, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   540   NtQueryValueKey  (240,  (240, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   540   NtQueryValueKey  (240,  (240, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   540   NtQueryValueKey  (240,  (240, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   540   NtQueryValueKey  (240,  (240, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   540   NtQueryValueKey  (240,  (240, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   540   NtQueryValueKey  (240,  (240, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   540   NtQueryDefaultUILanguage  (1240096, ...
 01435   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01436   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 01437   540   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01438   540   NtClose  (-2147481956, ... ) == 0x0
 01439   540   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 01440   540   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   540   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481964, ) }, ... -2147481964, ) == 0x0
 01442   540   NtQueryValueKey  (-2147481964,  (-2147481964, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   540   NtClose  (-2147481964, ... ) == 0x0
 01444   540   NtClose  (-2147481956, ... ) == 0x0
 01434   540   NtQueryDefaultUILanguage  ... ) == 0x0
 01445   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 244, {status=0x0, info=1}, ) }, 1, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01447   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 244, ... 248, ) == 0x0
 01448   540   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa00000), 0x0, 163840, ) == 0x0
 01449   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   540   NtQueryDefaultLocale  (1, 1238132, ... ) == 0x0
 01451   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   540   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238988, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238988, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\364\0\0\0\377\377\377\377\0\0\0\0\360Z\242\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1512, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\364\0\0\0\377\377\377\377\0\0\0\0\360Z\242\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 536, 540, 1512, 0}  (24, {128, 156, new_msg, 0, 1238988, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\364\0\0\0\377\377\377\377\0\0\0\0\360Z\242\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 536, 540, 1512, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\364\0\0\0\377\377\377\377\0\0\0\0\360Z\242\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\314\356\22\0\0\0\0\0" )  ) == 0x0
 01453   540   NtClose  (244, ... ) == 0x0
 01454   540   NtClose  (248, ... ) == 0x0
 01455   540   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01456   540   NtUnmapViewOfSection  (-1, 0x12eecc, ... ) == STATUS_NOT_MAPPED_VIEW
 01457   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01458   540   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01460   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01461   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237216, ... ) }, 1237216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01463   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01464   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01465   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237808, ... ) }, 1237808, ... ) == 0x0
 01466   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 248, {status=0x0, info=1}, ) }, 3, 33, ... 248, {status=0x0, info=1}, ) == 0x0
 01467   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01468   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 244, ) }, ... 244, ) == 0x0
 01469   540   NtQueryValueKey  (244,  (244, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   540   NtQueryValueKey  (244,  (244, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   540   NtClose  (244, ... ) == 0x0
 01472   540   NtCreateMutant  (0x1f0001, 0x0, 0, ... 244, ) == 0x0
 01473   540   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 1381368, 0,  (0x1f0001, {24, 72, 0x80, 1381368, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01474   540   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "RasPbFile"}, ... 252, ) }, ... 252, ) == 0x0
 01475   540   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 256, ) == 0x0
 01476   540   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 01477   540   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 264, ) == 0x0
 01478   540   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 268, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 268, 2, ) , 0, ... 268, 2, ) == 0x0
 01479   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 272, ) }, ... 272, ) == 0x0
 01480   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   540   NtQueryValueKey  (272,  (272, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   540   NtQueryValueKey  (268,  (268, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   540   NtQueryValueKey  (272,  (272, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   540   NtQueryValueKey  (268,  (268, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01486   540   NtQueryValueKey  (272,  (272, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   540   NtQueryValueKey  (268,  (268, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01488   540   NtQueryValueKey  (272,  (272, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   540   NtQueryValueKey  (268,  (268, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   540   NtQueryValueKey  (272,  (272, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   540   NtQueryValueKey  (272,  (272, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   540   NtQueryValueKey  (272,  (272, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   540   NtQueryValueKey  (272,  (272, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   540   NtQueryValueKey  (272,  (272, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   540   NtQueryValueKey  (272,  (272, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   540   NtQueryValueKey  (272,  (272, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   540   NtQueryValueKey  (268,  (268, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01498   540   NtQueryValueKey  (272,  (272, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   540   NtQueryValueKey  (272,  (272, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01500   540   NtQueryValueKey  (268,  (268, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501   540   NtQueryValueKey  (272,  (272, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   540   NtQueryValueKey  (268,  (268, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   540   NtQueryValueKey  (272,  (272, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   540   NtQueryValueKey  (268,  (268, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   540   NtQueryValueKey  (272,  (272, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   540   NtQueryValueKey  (268,  (268, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   540   NtQueryValueKey  (272,  (272, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   540   NtQueryValueKey  (268,  (268, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   540   NtQueryValueKey  (272,  (272, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   540   NtQueryValueKey  (268,  (268, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   540   NtQueryValueKey  (272,  (272, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512   540   NtQueryValueKey  (268,  (268, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   540   NtQueryValueKey  (272,  (272, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   540   NtQueryValueKey  (268,  (268, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   540   NtQueryValueKey  (272,  (272, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   540   NtQueryValueKey  (272,  (272, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   540   NtQueryValueKey  (272,  (272, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   540   NtQueryValueKey  (272,  (272, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   540   NtQueryValueKey  (272,  (272, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01520   540   NtQueryValueKey  (272,  (272, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521   540   NtQueryValueKey  (272,  (272, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   540   NtQueryValueKey  (272,  (272, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   540   NtQueryValueKey  (272,  (272, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   540   NtQueryValueKey  (272,  (272, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   540   NtQueryValueKey  (272,  (272, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   540   NtQueryValueKey  (272,  (272, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   540   NtQueryValueKey  (272,  (272, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 276, ) }, ... 276, ) == 0x0
 01529   540   NtQueryValueKey  (276,  (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01530   540   NtClose  (276, ... ) == 0x0
 01531   540   NtClose  (268, ... ) == 0x0
 01532   540   NtClose  (272, ... ) == 0x0
 01533   540   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 272, ) }, ... 272, ) == 0x0
 01534   540   NtQueryValueKey  (272,  (272, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   540   NtQueryValueKey  (272,  (272, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   540   NtQueryValueKey  (272,  (272, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   540   NtClose  (272, ... ) == 0x0
 01538   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 272, ) == 0x0
 01539   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 268, ) == 0x0
 01540   540   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 276, ) == 0x0
 01541   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01542   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10485760, 65536, ) == 0x0
 01543   540   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01544   540   NtAllocateVirtualMemory  (-1, 10489856, 0, 8192, 4096, 4, ... 10489856, 8192, ) == 0x0
 01545   540   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 280, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 280, {status=0x0, info=0}, ) == 0x0
 01546   540   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 284, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 284, {status=0x0, info=0}, ) == 0x0
 01547   540   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01548   540   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 292, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 292, {status=0x0, info=0}, ) == 0x0
 01549   540   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241660,  (0x20100080, {24, 0, 0x40, 0, 1241660, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 296, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 296, {status=0x0, info=0}, ) == 0x0
 01550   540   NtAllocateVirtualMemory  (-1, 10498048, 0, 36864, 4096, 4, ... 10498048, 36864, ) == 0x0
 01551   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01552   540   NtDeviceIoControlFile  (280, 300, 0x0, 0x0, 0x120003,  (280, 300, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (280, 300, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01553   540   NtClose  (300, ... ) == 0x0
 01554   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01555   540   NtDeviceIoControlFile  (280, 300, 0x0, 0x0, 0x120003,  (280, 300, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0M/M\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (280, 300, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0M/M\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01556   540   NtClose  (300, ... ) == 0x0
 01557   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01558   540   NtDeviceIoControlFile  (280, 300, 0x0, 0x0, 0x120003,  (280, 300, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0j/M\273\373a\5\0X\1\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\354\206\0\0\355\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (280, 300, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0j/M\273\373a\5\0X\1\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\354\206\0\0\355\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01559   540   NtClose  (300, ... ) == 0x0
 01560   540   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01562   540   NtDeviceIoControlFile  (280, 300, 0x0, 0x0, 0x120003,  (280, 300, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (280, 300, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01563   540   NtClose  (300, ... ) == 0x0
 01564   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01565   540   NtDeviceIoControlFile  (280, 300, 0x0, 0x0, 0x120003,  (280, 300, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (280, 300, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01566   540   NtClose  (300, ... ) == 0x0
 01567   540   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01568   540   NtDeviceIoControlFile  (280, 300, 0x0, 0x0, 0x120003,  (280, 300, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (280, 300, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01569   540   NtClose  (300, ... ) == 0x0
 01570   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01571   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01572   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01573   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01574   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01575   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01576   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01577   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01578   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01579   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01580   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01581   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01582   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01583   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01584   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01585   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01586   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01587   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01588   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01589   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01590   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01591   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01592   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01593   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01594   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01595   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01596   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01597   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01598   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01599   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01600   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01601   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01602   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01603   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01604   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01605   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01606   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01607   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01608   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01609   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01610   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01611   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01612   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01613   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01614   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01615   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01616   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01617   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01618   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01619   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01620   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01621   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01622   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01623   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01624   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01625   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01626   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01627   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01628   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01629   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01630   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01631   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01632   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01633   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01634   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01635   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01636   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01637   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01638   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01639   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01640   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01641   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01642   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01643   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01644   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01645   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01646   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01647   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01648   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01649   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01650   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01651   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01652   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01653   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01654   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01655   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01656   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01657   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01658   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01659   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01660   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01661   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01662   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01663   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01664   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01665   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01666   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01667   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01668   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01669   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01670   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01671   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01672   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01673   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01674   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01675   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01676   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01677   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01678   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01679   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01680   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01681   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01682   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01683   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01684   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01685   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01686   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01687   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01688   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01689   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01690   540   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 01691   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01692   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 1, 4096, 4, ... 10551296, 4096, ) == 0x0
 01693   540   NtQueryVirtualMemory  (-1, 0xa10000, Basic, 28, ... {BaseAddress=0xa10000,AllocationBase=0xa10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01694   540   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 65536, ) == 0x0
 01695   540   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01696   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 300, ) }, ... 300, ) == 0x0
 01697   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 304, ) }, ... 304, ) == 0x0
 01698   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 308, ) }, ... 308, ) == 0x0
 01699   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 312, ) }, ... 312, ) == 0x0
 01700   540   NtQueryDefaultLocale  (1, 1241596, ... ) == 0x0
 01701   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240468, ... ) }, 1240468, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1240468, ... ) }, 1240468, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1240468, ... ) }, 1240468, ... ) == 0x0
 01705   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01706   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01707   540   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01708   540   NtClose  (316, ... ) == 0x0
 01709   540   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 01710   540   NtClose  (320, ... ) == 0x0
 01711   540   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 01712   540   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 01713   540   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 01714   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 320, ) }, ... 320, ) == 0x0
 01715   540   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 01716   540   NtClose  (320, ... ) == 0x0
 01717   540   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 01718   540   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 01719   540   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 01720   540   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 01721   540   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 01722   540   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 01723   540   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 01724   540   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 01725   540   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 01726   540   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 01727   540   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 01728   540   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 01729   540   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 01730   540   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 01731   540   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 01732   540   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 01733   540   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 01734   540   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 01735   540   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 01736   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01737   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01738   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01739   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01740   540   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10551296, 262144, ) == 0x0
 01741   540   NtAllocateVirtualMemory  (-1, 10551296, 0, 4096, 4096, 4, ... 10551296, 4096, ) == 0x0
 01742   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01743   540   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10813440, 262144, ) == 0x0
 01744   540   NtAllocateVirtualMemory  (-1, 10813440, 0, 4096, 4096, 4, ... 10813440, 4096, ) == 0x0
 01745   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01746   540   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11075584, 262144, ) == 0x0
 01747   540   NtAllocateVirtualMemory  (-1, 11075584, 0, 4096, 4096, 4, ... 11075584, 4096, ) == 0x0
 01748   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01749   540   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11337728, 262144, ) == 0x0
 01750   540   NtAllocateVirtualMemory  (-1, 11337728, 0, 4096, 4096, 4, ... 11337728, 4096, ) == 0x0
 01751   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01752   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01753   540   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01754   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01755   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236440, ... ) }, 1236440, ... ) == 0x0
 01756   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01757   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 316, ) == 0x0
 01758   540   NtClose  (320, ... ) == 0x0
 01759   540   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb10000), 0x0, 90112, ) == 0x0
 01760   540   NtClose  (316, ... ) == 0x0
 01761   540   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 01762   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236756, ... ) }, 1236756, ... ) == 0x0
 01763   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01764   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01765   540   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01766   540   NtClose  (316, ... ) == 0x0
 01767   540   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 01768   540   NtClose  (320, ... ) == 0x0
 01769   540   NtQueryDefaultLocale  (1, 1238444, ... ) == 0x0
 01770   540   NtAllocateVirtualMemory  (-1, 10555392, 0, 4096, 4096, 4, ... 10555392, 4096, ) == 0x0
 01771   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 320, ) }, ... 320, ) == 0x0
 01772   540   NtClose  (320, ... ) == 0x0
 01773   540   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01774   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01775   540   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   540   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240468, ... ) }, 1240468, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "avicap32.dll"}, 1240468, ... ) }, 1240468, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 1240468, ... ) }, 1240468, ... ) == 0x0
 01781   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01782   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 01783   540   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01784   540   NtClose  (320, ... ) == 0x0
 01785   540   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 01786   540   NtClose  (316, ... ) == 0x0
 01787   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 316, ) }, ... 316, ) == 0x0
 01788   540   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01789   540   NtClose  (316, ... ) == 0x0
 01790   540   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239664, ... ) }, 1239664, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MSVFW32.dll"}, 1239664, ... ) }, 1239664, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 1239664, ... ) }, 1239664, ... ) == 0x0
 01794   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01795   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01796   540   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01797   540   NtClose  (316, ... ) == 0x0
 01798   540   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73bd0000), 0x0, 126976, ) == 0x0
 01799   540   NtClose  (320, ... ) == 0x0
 01800   540   NtProtectVirtualMemory  (-1, (0x73bd1000), 952, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 01801   540   NtProtectVirtualMemory  (-1, (0x73bd1000), 4096, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 01802   540   NtFlushInstructionCache  (-1, 1941770240, 952, ... ) == 0x0
 01803   540   NtQueryDefaultLocale  (1, 1240420, ... ) == 0x0
 01804   540   NtQueryDefaultLocale  (1, 1240424, ... ) == 0x0
 01805   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01806   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01807   540   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 0, 0,  (0x1f0001, {24, 72, 0x80, 0, 0, "trb"}, 0, ... 320, ) }, 0, ... 320, ) == 0x0
 01808   540   NtWaitForSingleObject  (320, 0, {-300000000, -1}, ... ) == 0x0
 01809   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 1242412, ... ) }, 1242412, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   540   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241328,  (0x80100080, {24, 0, 0x40, 0, 1241328, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 01811   540   NtQueryInformationFile  (316, 1242264, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01812   540   NtQueryInformationFile  (316, 1242236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01813   540   NtQueryInformationFile  (316, 1242188, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01814   540   NtAllocateVirtualMemory  (-1, 1388544, 0, 8192, 4096, 4, ... 1388544, 8192, ) == 0x0
 01815   540   NtQueryInformationFile  (316, 1386536, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01816   540   NtQueryInformationFile  (316, 1240732, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01817   540   NtQueryInformationFile  (316, 1240576, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01818   540   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240584,  (0x40110080, {24, 0, 0x40, 0, 1240584, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01819   540   NtClose  (-2147481956, ... ) == 0x0
 01818   540   NtCreateFile  ... 324, {status=0x0, info=2}, ) == 0x0
 01820   540   NtQueryVolumeInformationFile  (324, 1239956, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01821   540   NtQueryInformationFile  (324, 1239916, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01822   540   NtQueryVolumeInformationFile  (316, 1239956, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01823   540   NtQueryVolumeInformationFile  (316, 1239640, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01824   540   NtSetInformationFile  (324, 1239744, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01825   540   NtAllocateVirtualMemory  (-1, 1396736, 0, 65536, 4096, 4, ... 1396736, 65536, ) == 0x0
 01826   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0+\323\265\3o\262\333Po\262\333Po\262\333Po\262\332P\361\262\333P\254\275\206Ph\262\333P\24\256\327Pm\262\333P\354\256\325Ps\262\333P\0\255\320Pc\262\333P\0\255\321P\341\262\333Pi\221\320PT\262\333PRicho\262\333P\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\376\340\203F\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0\254\3\0\0\346\13\0\0\0\0\0`#\2\0\0\20\0\0\0\300\3\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\17\0\0\4\0\0\201\25\6\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0P\17\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\17\0dI\0\0\0\300\3\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324R\17\0\204\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0S\253\3\0\0\20\0\0\0\254\3\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01827   540   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0+\323\265\3o\262\333Po\262\333Po\262\333Po\262\332P\361\262\333P\254\275\206Ph\262\333P\24\256\327Pm\262\333P\354\256\325Ps\262\333P\0\255\320Pc\262\333P\0\255\321P\341\262\333Pi\221\320PT\262\333PRicho\262\333P\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\376\340\203F\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0\254\3\0\0\346\13\0\0\0\0\0`#\2\0\0\20\0\0\0\300\3\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\17\0\0\4\0\0\201\25\6\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0P\17\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\17\0dI\0\0\0\300\3\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324R\17\0\204\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0S\253\3\0\0\20\0\0\0\254\3\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01828   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "Ph~f\4\200W\377\25\2241N\0\203\370\377\17\204+\3\0\0\213\336\211\275\314\376\377\377\211\235\310\376\377\377\211}\370jA3\300Y\215\265\310\376\377\377PPP\215\205\20\371\377\377P\213E\370\215\275\20\371\377\377@\363\245P\377\25\3400N\0\203\370\377\17\204\344\2\0\03\366\211u\374\215\205\20\371\377\377PV\377\25\344/N\0\205\300\17\204\264\2\0\0;u\364ug\215E\360\307E\360\20\0\0\0P\215E\314P\377u\364\377\25\2141N\0\203\370\377\17\204\216\2\0\03\311\205\333v\22\215\225\314\376\377\3779\2t\10A\203\302\4;\313r\364;\313u\31\203\373@s\24\211\204\215\314\376\377\377\213\235\310\376\377\377C\211\235\310\376\377\377;E\370\17\206P\2\0\0\211E\370\351H\2\0\0\277\0\20\0\0\215\205\20\327\377\377Wj\0P\350\35\352\0\0W\215\205\20\347\377\377j\0P\350\16\352\0\0\203\304\30\215\205\20\327\377\377j\0WPV\377\25\201N\0\205\300\177XV\377\25\2201N\03\311\205\333\17\206\374\1\0\0\215\205\314\376\377\37790t\15A\203\300\4;\313r\364\351\345\1\0\0\215C\377;\310s\35\215\204\215\314\376\377\377\213P\4A\211\20\213\235\310\376\377\377\203\300\4\215S\377;\312r\352K\211\235\310\376\377\377\351\265\1\0\03\366h\4\1\0\0\215\205\304\375\377\377VP\350\212\351\0\0\215\205\20\327\377\377\211u\10P\350;\301\0\0\203\304\20\205\300\17\206\207\1\0\0\213E\10\212\204\5\20\327\377\377<\12\210\2045\20\347\377\377\17\205\222\0\0\0\215\205\20\347\377\377h\260\247D\0P\350F\360\0\0Y\205\300YtO\215\205\20\347\377\377P\350\364\300\0\0\203\370\5Yv=h\270\247D\0h\274\247D\0\215\205\20\347\377\377h\300", ) , ) == 0x0
 01829   540   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "Ph~f\4\200W\377\25\2241N\0\203\370\377\17\204+\3\0\0\213\336\211\275\314\376\377\377\211\235\310\376\377\377\211}\370jA3\300Y\215\265\310\376\377\377PPP\215\205\20\371\377\377P\213E\370\215\275\20\371\377\377@\363\245P\377\25\3400N\0\203\370\377\17\204\344\2\0\03\366\211u\374\215\205\20\371\377\377PV\377\25\344/N\0\205\300\17\204\264\2\0\0;u\364ug\215E\360\307E\360\20\0\0\0P\215E\314P\377u\364\377\25\2141N\0\203\370\377\17\204\216\2\0\03\311\205\333v\22\215\225\314\376\377\3779\2t\10A\203\302\4;\313r\364;\313u\31\203\373@s\24\211\204\215\314\376\377\377\213\235\310\376\377\377C\211\235\310\376\377\377;E\370\17\206P\2\0\0\211E\370\351H\2\0\0\277\0\20\0\0\215\205\20\327\377\377Wj\0P\350\35\352\0\0W\215\205\20\347\377\377j\0P\350\16\352\0\0\203\304\30\215\205\20\327\377\377j\0WPV\377\25\201N\0\205\300\177XV\377\25\2201N\03\311\205\333\17\206\374\1\0\0\215\205\314\376\377\37790t\15A\203\300\4;\313r\364\351\345\1\0\0\215C\377;\310s\35\215\204\215\314\376\377\377\213P\4A\211\20\213\235\310\376\377\377\203\300\4\215S\377;\312r\352K\211\235\310\376\377\377\351\265\1\0\03\366h\4\1\0\0\215\205\304\375\377\377VP\350\212\351\0\0\215\205\20\327\377\377\211u\10P\350;\301\0\0\203\304\20\205\300\17\206\207\1\0\0\213E\10\212\204\5\20\327\377\377<\12\210\2045\20\347\377\377\17\205\222\0\0\0\215\205\20\347\377\377h\260\247D\0P\350F\360\0\0Y\205\300YtO\215\205\20\347\377\377P\350\364\300\0\0\203\370\5Yv=h\270\247D\0h\274\247D\0\215\205\20\347\377\377h\300", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01830   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\203\304\10hH\360C\0h@\360C\0\350~\0\0\0\203\304\10\203=L5O\0\0u j\377\350\273\353\377\377\203\304\4\203\340 \205\300t\17\307\5L5O\0\1\0\0\0\350R\366\377\377\203}\20\0t\7\3507\0\0\0\353\24\307\5H5O\0\1\0\0\0\213M\10Q\377\258SO\0\213\345]\303\314\314\314\314\314\314\314\314\314\314\314\314\314U\213\354j\15\350fH\0\0\203\304\4]\303\314U\213\354j\15\350\366H\0\0\203\304\4]\303\314U\213\354\213E\10;E\14s\30\213M\10\2039\0t\5\213U\10\377\22\213E\10\203\300\4\211E\10\353\340]\303\314\314\314\314\314\314\314\314\314\314\314U\213\354\203\3540SVW\215E\340\211E\334\215M\20\211M\324\203}\10\0u\36h\\315C\0j\0j]hP\315C\0j\2\350\200;\0\0\203\304\24\203\370\1u\1\3143\322\205\322u\326\203}\14\0u\36h@\315C\0j\0j^hP\315C\0j\2\350V;\0\0\203\304\24\203\370\1u\1\3143\300\205\300u\326\213M\334\307A\14B\0\0\0\213U\334\213E\10\211B\10\213M\334\213U\10\211\21\213E\334\307@\4\377\377\377\177\213M\324Q\213U\14R\213E\334P\350a\224\0\0\203\304\14\211E\330\213M\334\213Q\4\203\352\1\213E\334\211P\4\213M\334\203y\4\0|"\213U\334\213\2\306\0\03\311\201\341\377\0\0\0\211M\320\213U\334\213\2\203\300\1\213M\334\211\1\353\21\213U\334Rj\0\350\226\221\0\0\203\304\10\211E\320\213E\330_^[\213\345]\303\314\314\314\314\314\314U\213\354\350x\243\0\0\213M\10\211H\24]\303U\213\354Q\350g\243\0\0\211E\374\213E\374\213H\24i\311\375C\3\0\201\301\303\236&\0\213U\374\211J\24", ) \213U\334\213\2\306\0\03\311\201\341\377\0\0\0\211M\320\213U\334\213\2\203\300\1\213M\334\211\1\353\21\213U\334Rj\0\350\226\221\0\0\203\304\10\211E\320\213E\330_^[\213\345]\303\314\314\314\314\314\314U\213\354\350x\243\0\0\213M\10\211H\24]\303U\213\354Q\350g\243\0\0\211E\374\213E\374\213H\24i\311\375C\3\0\201\301\303\236&\0\213U\374\211J\24", ) == 0x0
 01831   540   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "\203\304\10hH\360C\0h@\360C\0\350~\0\0\0\203\304\10\203=L5O\0\0u j\377\350\273\353\377\377\203\304\4\203\340 \205\300t\17\307\5L5O\0\1\0\0\0\350R\366\377\377\203}\20\0t\7\3507\0\0\0\353\24\307\5H5O\0\1\0\0\0\213M\10Q\377\258SO\0\213\345]\303\314\314\314\314\314\314\314\314\314\314\314\314\314U\213\354j\15\350fH\0\0\203\304\4]\303\314U\213\354j\15\350\366H\0\0\203\304\4]\303\314U\213\354\213E\10;E\14s\30\213M\10\2039\0t\5\213U\10\377\22\213E\10\203\300\4\211E\10\353\340]\303\314\314\314\314\314\314\314\314\314\314\314U\213\354\203\3540SVW\215E\340\211E\334\215M\20\211M\324\203}\10\0u\36h\\315C\0j\0j]hP\315C\0j\2\350\200;\0\0\203\304\24\203\370\1u\1\3143\322\205\322u\326\203}\14\0u\36h@\315C\0j\0j^hP\315C\0j\2\350V;\0\0\203\304\24\203\370\1u\1\3143\300\205\300u\326\213M\334\307A\14B\0\0\0\213U\334\213E\10\211B\10\213M\334\213U\10\211\21\213E\334\307@\4\377\377\377\177\213M\324Q\213U\14R\213E\334P\350a\224\0\0\203\304\14\211E\330\213M\334\213Q\4\203\352\1\213E\334\211P\4\213M\334\203y\4\0|"\213U\334\213\2\306\0\03\311\201\341\377\0\0\0\211M\320\213U\334\213\2\203\300\1\213M\334\211\1\353\21\213U\334Rj\0\350\226\221\0\0\203\304\10\211E\320\213E\330_^[\213\345]\303\314\314\314\314\314\314U\213\354\350x\243\0\0\213M\10\211H\24]\303U\213\354Q\350g\243\0\0\211E\374\213E\374\213H\24i\311\375C\3\0\201\301\303\236&\0\213U\374\211J\24", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \213U\334\213\2\306\0\03\311\201\341\377\0\0\0\211M\320\213U\334\213\2\203\300\1\213M\334\211\1\353\21\213U\334Rj\0\350\226\221\0\0\203\304\10\211E\320\213E\330_^[\213\345]\303\314\314\314\314\314\314U\213\354\350x\243\0\0\213M\10\211H\24]\303U\213\354Q\350g\243\0\0\211E\374\213E\374\213H\24i\311\375C\3\0\201\301\303\236&\0\213U\374\211J\24", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01832   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "U\213\354\203\354,\213E\10-l\7\0\0\211E\10\203}\10F|\11\201}\10\212\0\0\0~\10\203\310\377\351\302\0\0\0\213M\14\213U\20\3\24\215|FE\0\211U\324\213E\10\203\340\3\205\300u\17\203}\14\2~\11\213M\324\203\301\1\211M\324\213U\10\203\352Fi\322m\1\0\0\213E\10\203\350\1\301\370\2\213M\324\3\312\215T\10\357k\322\30\3U\24\211U\374\213E\374k\300<\3E\30k\300<\3E\34\211E\374\350\1V\0\0\213M\374\3\15\230EE\0\211M\374\213U\324\211U\364\213E\10\211E\354\213M\14\203\351\1\211M\350\213U\24\211U\340\203} \1t\37\203} \377u%\203=\234EE\0\0t\34\215E\330P\350\314Y\0\0\203\304\4\205\300t\14\213M\374\3\15\240EE\0\211M\374\213E\374\213\345]\303\314\314U\213\354\201\354\260\0\0\0\203}\10\0|\6\203}\10\5~\73\300\351\317\3\0\0j\23\350\315W\377\377\203\304\4\307E\374\1\0\0\0\241\3049O\0\203\300\1\243\3049O\0\203=\3109O\0\0t\12j\1\377\25LSO\0\353\355\203}\10\0t>\203}\14\0t\30\213M\14Q\213U\10R\350\212\3\0\0\203\304\10\211\205X\377\377\377\353\22\213E\10k\300\14\213\210\324CE\0\211\215X\377\377\377\213\225X\377\377\377\211U\370\351:\3\0\0\307E\354\1\0\0\0\307E\364\0\0\0\0\203}\14\0\17\204\32\3\0\0\213E\14\17\276\10\203\371L\17\205\34\2\0\0\213U\14\17\276B\1\203\370C\17\205\14\2\0\0\213M\14\17\276Q\2\203\372_\17\205\374\1\0\0\213E\14\211\205d\377\377\377h\344\323C\0\213\215d\377\377\377Q\350\356r\0\0\203\304\10\211\205`\377\377\377\203\275`\377\377\377\0t)", ) , ) == 0x0
 01833   540   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "U\213\354\203\354,\213E\10-l\7\0\0\211E\10\203}\10F|\11\201}\10\212\0\0\0~\10\203\310\377\351\302\0\0\0\213M\14\213U\20\3\24\215|FE\0\211U\324\213E\10\203\340\3\205\300u\17\203}\14\2~\11\213M\324\203\301\1\211M\324\213U\10\203\352Fi\322m\1\0\0\213E\10\203\350\1\301\370\2\213M\324\3\312\215T\10\357k\322\30\3U\24\211U\374\213E\374k\300<\3E\30k\300<\3E\34\211E\374\350\1V\0\0\213M\374\3\15\230EE\0\211M\374\213U\324\211U\364\213E\10\211E\354\213M\14\203\351\1\211M\350\213U\24\211U\340\203} \1t\37\203} \377u%\203=\234EE\0\0t\34\215E\330P\350\314Y\0\0\203\304\4\205\300t\14\213M\374\3\15\240EE\0\211M\374\213E\374\213\345]\303\314\314U\213\354\201\354\260\0\0\0\203}\10\0|\6\203}\10\5~\73\300\351\317\3\0\0j\23\350\315W\377\377\203\304\4\307E\374\1\0\0\0\241\3049O\0\203\300\1\243\3049O\0\203=\3109O\0\0t\12j\1\377\25LSO\0\353\355\203}\10\0t>\203}\14\0t\30\213M\14Q\213U\10R\350\212\3\0\0\203\304\10\211\205X\377\377\377\353\22\213E\10k\300\14\213\210\324CE\0\211\215X\377\377\377\213\225X\377\377\377\211U\370\351:\3\0\0\307E\354\1\0\0\0\307E\364\0\0\0\0\203}\14\0\17\204\32\3\0\0\213E\14\17\276\10\203\371L\17\205\34\2\0\0\213U\14\17\276B\1\203\370C\17\205\14\2\0\0\213M\14\17\276Q\2\203\372_\17\205\374\1\0\0\213E\14\211\205d\377\377\377h\344\323C\0\213\215d\377\377\377Q\350\356r\0\0\203\304\10\211\205`\377\377\377\203\275`\377\377\377\0t)", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01834   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, " name unknown>\0\0dbgrpt.c\0\0\0\0szUserMessage != NULL\0\0\0_freebuf.c\0\0mlock.c\0\377\377\377\377\0\0\0\0\2057B\0\377\377\377\377\0\0\0\0\78B\0\377\377\377\377\0\0\0\0!9B\0\377\377\377\377\0\0\0\0\32:B\0\377\377\377\377\0\0\0\0XB\0\377\377\377\377\0\0\0\0\253?B\0\377\377\377\377\0\0\0\0-@B\0\377\377\377\377\0\0\0\0\342@B\0\377\377\377\377\0\0\0\0'AB\0__GLOBAL_HEAP_SELECTED\0\0__MSVCRT_HEAP_SELECT\0\0\0\0_filbuf.c\0\0\0_open.c\0filename != NULL\0\0\0\0stream.c\0\0\0\0("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)\0\0_flsbuf.c\0\0\0\6\0\0\6\0\1\0\0\20\0\3\6\0\6\2\20\4EEE\5\5\5\5\550\0P\0\0\0\0 (8PX\7\10\0700WP\7\0\0  \10\0\0\0\0\10`h````\0\0ppxxxx\10\7\10\0\0\7\0\10\10\10\0\0\10\0\10\0\7\10\0\0\0(\0n\0u\0l\0l\0)\0\0\0\0\0(null)\0\0output.c\0\0\0\0ch !", ) inconsistent IOB fields (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, " name unknown>\0\0dbgrpt.c\0\0\0\0szUserMessage != NULL\0\0\0_freebuf.c\0\0mlock.c\0\377\377\377\377\0\0\0\0\2057B\0\377\377\377\377\0\0\0\0\78B\0\377\377\377\377\0\0\0\0!9B\0\377\377\377\377\0\0\0\0\32:B\0\377\377\377\377\0\0\0\0XB\0\377\377\377\377\0\0\0\0\253?B\0\377\377\377\377\0\0\0\0-@B\0\377\377\377\377\0\0\0\0\342@B\0\377\377\377\377\0\0\0\0'AB\0__GLOBAL_HEAP_SELECTED\0\0__MSVCRT_HEAP_SELECT\0\0\0\0_filbuf.c\0\0\0_open.c\0filename != NULL\0\0\0\0stream.c\0\0\0\0("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)\0\0_flsbuf.c\0\0\0\6\0\0\6\0\1\0\0\20\0\3\6\0\6\2\20\4EEE\5\5\5\5\550\0P\0\0\0\0 (8PX\7\10\0700WP\7\0\0  \10\0\0\0\0\10`h````\0\0ppxxxx\10\7\10\0\0\7\0\10\10\10\0\0\10\0\10\0\7\10\0\0\0(\0n\0u\0l\0l\0)\0\0\0\0\0(null)\0\0output.c\0\0\0\0ch !", ) , ) == 0x0
 01835   540   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, " name unknown>\0\0dbgrpt.c\0\0\0\0szUserMessage != NULL\0\0\0_freebuf.c\0\0mlock.c\0\377\377\377\377\0\0\0\0\2057B\0\377\377\377\377\0\0\0\0\78B\0\377\377\377\377\0\0\0\0!9B\0\377\377\377\377\0\0\0\0\32:B\0\377\377\377\377\0\0\0\0XB\0\377\377\377\377\0\0\0\0\253?B\0\377\377\377\377\0\0\0\0-@B\0\377\377\377\377\0\0\0\0\342@B\0\377\377\377\377\0\0\0\0'AB\0__GLOBAL_HEAP_SELECTED\0\0__MSVCRT_HEAP_SELECT\0\0\0\0_filbuf.c\0\0\0_open.c\0filename != NULL\0\0\0\0stream.c\0\0\0\0("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)\0\0_flsbuf.c\0\0\0\6\0\0\6\0\1\0\0\20\0\3\6\0\6\2\20\4EEE\5\5\5\5\550\0P\0\0\0\0 (8PX\7\10\0700WP\7\0\0  \10\0\0\0\0\10`h````\0\0ppxxxx\10\7\10\0\0\7\0\10\10\10\0\0\10\0\10\0\7\10\0\0\0(\0n\0u\0l\0l\0)\0\0\0\0\0(null)\0\0output.c\0\0\0\0ch !", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) inconsistent IOB fields (324, 0, 0, 0, " name unknown>\0\0dbgrpt.c\0\0\0\0szUserMessage != NULL\0\0\0_freebuf.c\0\0mlock.c\0\377\377\377\377\0\0\0\0\2057B\0\377\377\377\377\0\0\0\0\78B\0\377\377\377\377\0\0\0\0!9B\0\377\377\377\377\0\0\0\0\32:B\0\377\377\377\377\0\0\0\0XB\0\377\377\377\377\0\0\0\0\253?B\0\377\377\377\377\0\0\0\0-@B\0\377\377\377\377\0\0\0\0\342@B\0\377\377\377\377\0\0\0\0'AB\0__GLOBAL_HEAP_SELECTED\0\0__MSVCRT_HEAP_SELECT\0\0\0\0_filbuf.c\0\0\0_open.c\0filename != NULL\0\0\0\0stream.c\0\0\0\0("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)\0\0_flsbuf.c\0\0\0\6\0\0\6\0\1\0\0\20\0\3\6\0\6\2\20\4EEE\5\5\5\5\550\0P\0\0\0\0 (8PX\7\10\0700WP\7\0\0  \10\0\0\0\0\10`h````\0\0ppxxxx\10\7\10\0\0\7\0\10\10\10\0\0\10\0\10\0\7\10\0\0\0(\0n\0u\0l\0l\0)\0\0\0\0\0(null)\0\0output.c\0\0\0\0ch !", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01836   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s:%d (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) %s (316, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", ) , ) == 0x0
 01837   540   NtWriteFile  (324, 0, 0, 0,  (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s:%d (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) %s (324, 0, 0, 0, "AL\0\0PAYPAL.COM\0\0paypal.com\0\0Set-Cookie:\0VULN sniff\0\0OpenSSL/0.9.6\0\0\0Serv-U FTP Server\0\0\0OpenSSH_2\0\0\0-\34\2sniffer\2\3- bind() failed, returned %d\0\0\0-\34\2sniffer\2\3- WSAIoctl() failed, returned %d\0\0\0%s\0\0%s\0\0-\34\2sniffer\2\3- Bot sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- IRC sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- FTP sniff "%s:%d" to "%s:%d": - "%s"\0-\34\2sniffer\2\3- HTTP sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2sniffer\2\3- VULN sniff "%s:%d" to "%s:%d": - "%s"\0\0\0\0-\34\2ddos\2\3- done with flood at %", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01838   540   NtReadFile  (316, 0, 0, 0, 61440, 0x0, 0, ... ) == STATUS_END_OF_FILE
 01839   540   NtFreeVirtualMemory  (-1, (0x154000), 69632, 16384, ... (0x154000), 69632, ) == 0x0
 01840   540   NtSetInformationFile  (324, 1242188, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01841   540   NtClose  (316, ... ) == 0x0
 01842   540   NtClose  (324, ... ) == 0x0
 01843   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241328, ... ) }, 1241328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844   540   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241328, ... ) }, 1241328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241328, ... ) }, 1241328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241328, ... ) }, 1241328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241328, ... ) }, 1241328, ... ) == 0x0
 01848   540   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242084,  (0x80100080, {24, 0, 0x40, 0, 1242084, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01849   540   NtQueryInformationFile  (324, 1242136, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01850   540   NtClose  (324, ... ) == 0x0
 01851   540   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242084,  (0x40100080, {24, 0, 0x40, 0, 1242084, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01852   540   NtSetInformationFile  (324, 1242136, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01853   540   NtClose  (324, ... ) == 0x0
 01854   540   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 7, 2113568, ... 324, {status=0x0, info=1}, ) }, 7, 2113568, ... 324, {status=0x0, info=1}, ) == 0x0
 01855   540   NtSetInformationFile  (324, 1242388, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01856   540   NtClose  (324, ... ) == 0x0
 01857   540   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {536, 0}, ... 324, ) == 0x0
 01858   540   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01859   540   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01860   540   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 316, ... 328, ) == 0x0
 01861   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 332, ) }, ... 332, ) == 0x0
 01863   540   NtQueryValueKey  (332,  (332, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01864   540   NtClose  (332, ... ) == 0x0
 01865   540   NtQueryVolumeInformationFile  (316, 1238884, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01866   540   NtOpenMutant  (0x120001, {24, 72, 0x0, 0, 0,  (0x120001, {24, 72, 0x0, 0, 0, "ShimCacheMutex"}, ... 332, ) }, ... 332, ) == 0x0
 01867   540   NtWaitForSingleObject  (332, 0, {-1000000, -1}, ... ) == 0x0
 01868   540   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "ShimSharedMemory"}, ... 336, ) }, ... 336, ) == 0x0
 01869   540   NtMapViewOfSection  (336, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xb10000), {0, 0}, 57344, ) == 0x0
 01870   540   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 01871   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236868, ... ) }, 1236868, ... ) == 0x0
 01872   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 01873   540   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 340, ... 344, ) == 0x0
 01874   540   NtClose  (340, ... ) == 0x0
 01875   540   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb20000), 0x0, 106496, ) == 0x0
 01876   540   NtClose  (344, ... ) == 0x0
 01877   540   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01878   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237184, ... ) }, 1237184, ... ) == 0x0
 01879   540   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 01880   540   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 340, ) == 0x0
 01881   540   NtQuerySection  (340, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01882   540   NtClose  (344, ... ) == 0x0
 01883   540   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01884   540   NtClose  (340, ... ) == 0x0
 01885   540   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 01886   540   NtQueryInformationFile  (340, 1237472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01887   540   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 340, ... 344, ) == 0x0
 01888   540   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xb20000), 0x0, 1028096, ) == 0x0
 01889   540   NtQueryInformationFile  (340, 1237568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01890   540   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   540   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01892   540   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01893   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01894   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1235132, 616, BothDirectory, 1,  (348, 0, 0, 0, 1235132, 616, BothDirectory, 1, "sfzuxhfptqmsgz.exe", 0, ... {status=0x0, info=130}, ) , 0, ... {status=0x0, info=130}, ) == 0x0
 01895   540   NtClose  (348, ... ) == 0x0
 01896   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01897   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01898   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 1234520, ... ) }, 1234520, ... ) == 0x0
 01899   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01900   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1233880, 616, BothDirectory, 1,  (348, 0, 0, 0, 1233880, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01901   540   NtClose  (348, ... ) == 0x0
 01902   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01903   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1233880, 616, BothDirectory, 1,  (348, 0, 0, 0, 1233880, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01904   540   NtClose  (348, ... ) == 0x0
 01905   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01906   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01907   540   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01908   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01909   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 01910   540   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01911   540   NtClose  (348, ... ) == 0x0
 01912   540   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   540   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\sfzuxhfptqmsgz.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01915   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01916   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 1236800, ... ) }, 1236800, ... ) == 0x0
 01917   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01918   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1236160, 616, BothDirectory, 1,  (348, 0, 0, 0, 1236160, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01919   540   NtClose  (348, ... ) == 0x0
 01920   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01921   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1236160, 616, BothDirectory, 1,  (348, 0, 0, 0, 1236160, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01922   540   NtClose  (348, ... ) == 0x0
 01923   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01924   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01925   540   NtWaitForSingleObject  (332, 0, {-1000000, -1}, ... ) == 0x0
 01926   540   NtQueryVolumeInformationFile  (316, 1237444, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01927   540   NtQueryInformationFile  (316, 1237424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01928   540   NtQueryInformationFile  (316, 1237464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01929   540   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 01930   540   NtUnmapViewOfSection  (-1, 0xb20000, ... ) == 0x0
 01931   540   NtClose  (344, ... ) == 0x0
 01932   540   NtClose  (340, ... ) == 0x0
 01933   540   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01934   540   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfzuxhfptqmsgz.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   540   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01936   540   NtOpenProcessToken  (-1, 0xa, ... 340, ) == 0x0
 01937   540   NtQueryInformationToken  (340, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01938   540   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 01940   540   NtQueryValueKey  (344,  (344, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (344, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01941   540   NtQueryValueKey  (344,  (344, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (344, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01942   540   NtClose  (344, ... ) == 0x0
 01943   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 01944   540   NtQueryValueKey  (344,  (344, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01945   540   NtQueryValueKey  (344,  (344, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (344, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01946   540   NtClose  (344, ... ) == 0x0
 01947   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01948   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 01949   540   NtQueryValueKey  (344,  (344, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950   540   NtClose  (344, ... ) == 0x0
 01951   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01952   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01953   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01954   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01955   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01956   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01957   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01958   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01959   540   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01960   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01961   540   NtQueryDefaultLocale  (1, 1238256, ... ) == 0x0
 01962   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 344, ) }, ... 344, ) == 0x0
 01963   540   NtEnumerateKey  (344, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (344, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01964   540   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 348, ) }, ... 348, ) == 0x0
 01965   540   NtQueryValueKey  (348,  (348, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (348, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01966   540   NtQueryValueKey  (348,  (348, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (348, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01967   540   NtClose  (348, ... ) == 0x0
 01968   540   NtEnumerateKey  (344, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01969   540   NtClose  (344, ... ) == 0x0
 01970   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01971   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01975   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01983   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01985   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 01986   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01987   540   NtClose  (344, ... ) == 0x0
 01988   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01989   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01990   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 01991   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01992   540   NtClose  (344, ... ) == 0x0
 01993   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01995   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 01996   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01997   540   NtClose  (344, ... ) == 0x0
 01998   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02000   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02001   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02002   540   NtClose  (344, ... ) == 0x0
 02003   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02005   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02006   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02007   540   NtClose  (344, ... ) == 0x0
 02008   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02010   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02011   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02012   540   NtClose  (344, ... ) == 0x0
 02013   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02015   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02016   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02017   540   NtClose  (344, ... ) == 0x0
 02018   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02019   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02020   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02021   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02022   540   NtClose  (344, ... ) == 0x0
 02023   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02025   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02026   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02027   540   NtClose  (344, ... ) == 0x0
 02028   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02030   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02031   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02032   540   NtClose  (344, ... ) == 0x0
 02033   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02035   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02036   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02037   540   NtClose  (344, ... ) == 0x0
 02038   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02039   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02040   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02041   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02042   540   NtClose  (344, ... ) == 0x0
 02043   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02044   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02045   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02046   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02047   540   NtClose  (344, ... ) == 0x0
 02048   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02050   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02051   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02052   540   NtClose  (344, ... ) == 0x0
 02053   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02055   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02056   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02057   540   NtClose  (344, ... ) == 0x0
 02058   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02059   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 02060   540   NtQueryValueKey  (344,  (344, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (344, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (344, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02061   540   NtClose  (344, ... ) == 0x0
 02062   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02063   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 02064   540   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02065   540   NtClose  (344, ... ) == 0x0
 02066   540   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   540   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02068   540   NtOpenProcessToken  (-1, 0xa, ... 344, ) == 0x0
 02069   540   NtDuplicateToken  (344, 0xc, {24, 0, 0x0, 0, 1238776, 0x0}, 0, 2, ... 348, ) == 0x0
 02070   540   NtClose  (344, ... ) == 0x0
 02071   540   NtAccessCheck  (1393144, 348, 0x1, 1238904, 1238848, 56, 1238932, ... (0x1), ) == 0x0
 02072   540   NtClose  (348, ... ) == 0x0
 02073   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 348, ) }, ... 348, ) == 0x0
 02074   540   NtQueryValueKey  (348,  (348, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (348, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02075   540   NtClose  (348, ... ) == 0x0
 02076   540   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 348, ) }, ... 348, ) == 0x0
 02077   540   NtQuerySymbolicLinkObject  (348, ...  (348, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02078   540   NtClose  (348, ... ) == 0x0
 02079   540   NtQueryInformationFile  (316, 1237236, 528, Name, ... {status=0x0, info=76}, ) == 0x0
 02080   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02081   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02082   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe"}, 1235916, ... ) }, 1235916, ... ) == 0x0
 02083   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02084   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1235276, 616, BothDirectory, 1,  (348, 0, 0, 0, 1235276, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02085   540   NtClose  (348, ... ) == 0x0
 02086   540   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02087   540   NtQueryDirectoryFile  (348, 0, 0, 0, 1235276, 616, BothDirectory, 1,  (348, 0, 0, 0, 1235276, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02088   540   NtClose  (348, ... ) == 0x0
 02089   540   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02090   540   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02091   540   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02092   540   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 348, ) == 0x0
 02093   540   NtQueryInformationToken  (348, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02094   540   NtClose  (348, ... ) == 0x0
 02095   540   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 348, ) }, ... 348, ) == 0x0
 02096   540   NtOpenKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 344, ) }, ... 344, ) == 0x0
 02097   540   NtClose  (348, ... ) == 0x0
 02098   540   NtQueryValueKey  (344,  (344, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02099   540   NtQueryValueKey  (344,  (344, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (344, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02100   540   NtClose  (344, ... ) == 0x0
 02101   540   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 11665408, 4096, ) == 0x0
 02102   540   NtAllocateVirtualMemory  (-1, 11665408, 0, 4096, 4096, 4, ... 11665408, 4096, ) == 0x0
 02103   540   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 344, ) }, ... 344, ) == 0x0
 02104   540   NtQueryValueKey  (344,  (344, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   540   NtClose  (344, ... ) == 0x0
 02106   540   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02107   540   NtQueryInformationToken  (340, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02108   540   NtQueryInformationToken  (340, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02109   540   NtClose  (340, ... ) == 0x0
 02110   540   NtCreateProcessEx  (1241512, 2035711, 0, -1, 4, 328, 0, 0, 0, ... ) == 0x0
 02111   540   NtSetInformationProcess  (340, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 02112   540   NtQueryInformationProcess  (340, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=636,ParentPid=536,}, 0x0, ) == 0x0
 02113   540   NtReadVirtualMemory  (340, 0x7ffdf008, 4, ...  (340, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02114   540   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfzuxhfptqmsgz.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02115   540   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 02116   540   NtReadVirtualMemory  (340, 0x400000, 4096, ...  (340, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0+\323\265\3o\262\333Po\262\333Po\262\333Po\262\332P\361\262\333P\254\275\206Ph\262\333P\24\256\327Pm\262\333P\354\256\325Ps\262\333P\0\255\320Pc\262\333P\0\255\321P\341\262\333Pi\221\320PT\262\333PRicho\262\333P\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\376\340\203F\0\0\0\0\0\0\0\0\340\0\16\1\13\1\6\0\0\254\3\0\0\346\13\0\0\0\0\0`#\2\0\0\20\0\0\0\300\3\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\17\0\0\4\0\0\201\25\6\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0P\17\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\17\0dI\0\0\0\300\3\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324R\17\0\204\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0S\253\3\0\0\20\0\0\0\254\3\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02117   540   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02118   540   NtQueryInformationProcess  (340, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=636,ParentPid=536,}, 0x0, ) == 0x0
 02119   540   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1239576, ... ) }, 1239576, ... ) == 0x0
 02120   540   NtAllocateVirtualMemory  (-1, 0, 0, 1680, 4096, 4, ... 11730944, 4096, ) == 0x0
 02121   540   NtAllocateVirtualMemory  (340, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02122   540   NtWriteVirtualMemory  (340, 0x10000,  (340, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02123   540   NtAllocateVirtualMemory  (340, 0, 0, 1680, 4096, 4, ... 131072, 4096, ) == 0x0
 02124   540   NtWriteVirtualMemory  (340, 0x20000,  (340, 0x20000, "\0\20\0\0\220\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0L\0N\0\230\5\0\0~\0\200\0\350\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0h\6\0\0\36\0 \0l\6\0\0\0\0\2\0\214\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1680, ... 0x0, ) , 1680, ... 0x0, ) == 0x0
 02125   540   NtWriteVirtualMemory  (340, 0x7ffdf010,  (340, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02126   540   NtWriteVirtualMemory  (340, 0x7ffdf1e8,  (340, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02127   540   NtFreeVirtualMemory  (-1, (0xb30000), 0, 32768, ... (0xb30000), 4096, ) == 0x0
 02128   540   NtAllocateVirtualMemory  (340, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02129   540   NtAllocateVirtualMemory  (340, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02130   540   NtProtectVirtualMemory  (340, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02131   540   NtCreateThread  (0x1f03ff, 0x0, 340, 1239776, 1240496, 1, ... 344, {636, 728}, ) == 0x0
 02132   540   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1384960, 1241596}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1384960, 1241596} "\0\0\0\0\0\0\1\0\2$\370w U\367wW\1\0\0X\1\0\0|\2\0\0\330\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 536, 540, 1522, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wT\1\0\0X\1\0\0|\2\0\0\330\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 536, 540, 1522, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1384960, 1241596} "\0\0\0\0\0\0\1\0\2$\370w U\367wW\1\0\0X\1\0\0|\2\0\0\330\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 536, 540, 1522, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wT\1\0\0X\1\0\0|\2\0\0\330\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02133   540   NtResumeThread  (344, ... 1, ) == 0x0
 02134   540   NtClose  (316, ... ) == 0x0
 02135   540   NtClose  (328, ... ) == 0x0
 02136   540   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02137   540   NtClose  (340, ... ) == 0x0
 02138   540   NtClose  (344, ... ) == 0x0
 02139   540   NtTerminateProcess  (0, 0, ... ) == 0x0
 02140   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x16,}, 4, ... ) == 0x0
 02141   540   NtFreeVirtualMemory  (-1, (0xa00000), 0, 32768, ... (0xa00000), 65536, ) == 0x0
 02142   540   NtClose  (280, ... ) == 0x0
 02143   540   NtClose  (284, ... ) == 0x0
 02144   540   NtClose  (292, ... ) == 0x0
 02145   540   NtClose  (288, ... ) == 0x0
 02146   540   NtClose  (296, ... ) == 0x0
 02147   540   NtClose  (268, ... ) == 0x0
 02148   540   NtClose  (276, ... ) == 0x0
 02149   540   NtClose  (312, ... ) == 0x0
 02150   540   NtClose  (308, ... ) == 0x0
 02151   540   NtClose  (304, ... ) == 0x0
 02152   540   NtClose  (300, ... ) == 0x0
 02153   540   NtClose  (272, ... ) == 0x0
 02154   540   NtClose  (256, ... ) == 0x0
 02155   540   NtClose  (252, ... ) == 0x0
 02156   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02157   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02158   540   NtClose  (244, ... ) == 0x0
 02159   540   NtUnmapViewOfSection  (-1, 0x9e0000, ... ) == 0x0
 02160   540   NtClose  (248, ... ) == 0x0
 02161   540   NtClose  (240, ... ) == 0x0
 02162   540   NtClose  (228, ... ) == 0x0
 02163   540   NtClose  (232, ... ) == 0x0
 02164   540   NtClose  (236, ... ) == 0x0
 02165   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02166   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02167   540   NtWaitForMultipleObjects  (2, (200, 208, ), 1, 0, 0x0, ... ) == 0x1
 02168   540   NtClose  (208, ... ) == 0x0
 02169   540   NtSetEvent  (200, ... 0x0, ) == 0x0
 02170   540   NtClose  (200, ... ) == 0x0
 02171   540   NtWaitForMultipleObjects  (2, (212, 216, ), 1, 0, 0x0, ... ) == 0x1
 02172   540   NtClose  (216, ... ) == 0x0
 02173   540   NtSetEvent  (212, ... 0x0, ) == 0x0
 02174   540   NtClose  (212, ... ) == 0x0
 02175   540   NtWaitForMultipleObjects  (2, (220, 224, ), 1, 0, 0x0, ... ) == 0x1
 02176   540   NtClose  (224, ... ) == 0x0
 02177   540   NtSetEvent  (220, ... 0x0, ) == 0x0
 02178   540   NtClose  (220, ... ) == 0x0
 02179   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02180   540   NtFreeVirtualMemory  (-1, (0x9a0000), 0, 32768, ... (0x9a0000), 262144, ) == 0x0
 02181   540   NtUserUnregisterClass  (1241896, 1991376896, 1241884, ... ) == 0x0
 02182   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc03b
 02183   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02184   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc03d
 02185   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02186   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc03f
 02187   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02188   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc041
 02189   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02190   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc043
 02191   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02192   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc045
 02193   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02194   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc047
 02195   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02196   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc049
 02197   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02198   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc04b
 02199   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02200   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc04d
 02201   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02202   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc04f
 02203   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02204   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc051
 02205   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02206   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc053
 02207   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02208   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc057
 02209   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02210   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc059
 02211   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02212   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc05b
 02213   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02214   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc05d
 02215   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02216   540   NtUserGetClassInfo  (1999896576, 1241984, 1241936, 1242012, 0, ... ) == 0xc05f
 02217   540   NtUserUnregisterClass  (1241988, 1999896576, 1241976, ... ) == 0x1
 02218   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02219   540   NtClose  (128, ... ) == 0x0
 02220   540   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 02221   540   NtClose  (132, ... ) == 0x0
 02222   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02223   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02224   540   NtClose  (100, ... ) == 0x0
 02225   540   NtClose  (88, ... ) == 0x0
 02226   540   NtClose  (104, ... ) == 0x0
 02227   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc03b
 02228   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02229   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc03d
 02230   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02231   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc03f
 02232   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02233   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc041
 02234   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02235   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc043
 02236   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02237   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc045
 02238   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02239   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc047
 02240   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02241   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc049
 02242   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02243   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc04b
 02244   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02245   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc04d
 02246   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02247   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc04f
 02248   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02249   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc051
 02250   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02251   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc053
 02252   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02253   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc057
 02254   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02255   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc059
 02256   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02257   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc05b
 02258   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02259   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc05d
 02260   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02261   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc05f
 02262   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02263   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc017
 02264   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02265   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc019
 02266   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02267   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc018
 02268   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02269   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc01a
 02270   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02271   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc01c
 02272   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02273   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc01e
 02274   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02275   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc01b
 02276   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02277   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc068
 02278   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02279   540   NtUserGetClassInfo  (1905590272, 1241984, 1241936, 1242012, 0, ... ) == 0xc06a
 02280   540   NtUserUnregisterClass  (1241988, 1905590272, 1241976, ... ) == 0x1
 02281   540   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 02282   540   NtClose  (96, ... ) == 0x0
 02283   540   NtClose  (84, ... ) == 0x0
 02284   540   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02285   540   NtClearEvent  (152, ... ) == 0x0
 02286   540   NtSetEvent  (152, ... 0x0, ) == 0x0
 02287   540   NtClose  (152, ... ) == 0x0
 02288   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02289   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02290   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02291   540   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02292   540   NtFreeVirtualMemory  (-1, (0xb20000), 4096, 32768, ... (0xb20000), 4096, ) == 0x0
 02293   540   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 65536, 5123988, 1, 68}  (24, {20, 48, new_msg, 0, 65536, 5123988, 1, 68} "\0\0\0\0\3\0\1\0\260\31\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 536, 540, 1534, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 536, 540, 1534, 0}  (24, {20, 48, new_msg, 0, 65536, 5123988, 1, 68} "\0\0\0\0\3\0\1\0\260\31\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 536, 540, 1534, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02294   540   NtTerminateProcess  (-1, 0, ...
 02295   540   NtClose  (44, ... ) == 0x0