Summary:


NtCallbackReturn(>)  1 
NtOpenProcessToken(>)  2 
NtOpenProcessTokenEx(>)  10 
NtUserRegisterClassExWOW(>)  34 

NtConnectPort(>)  1 
NtQueryInstallUILanguage(>)  2 
NtOpenThreadTokenEx(>)  10 
NtContinue(>)  35 

NtGdiCreateBitmap(>)  1 
NtRaiseException(>)  2 
NtWriteFile(>)  10 
NtQueryDebugFilterState(>)  36 

NtGdiInit(>)  1 
NtAddAtom(>)  3 
NtQueryVolumeInformationFile(>)  12 
NtRequestWaitReplyPort(>)  36 

NtGdiQueryFontAssocInfo(>)  1 
NtClearEvent(>)  3 
NtQueryInformationToken(>)  13 
NtQuerySystemInformation(>)  43 

NtGdiSelectBitmap(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDefaultUILanguage(>)  14 
NtCreateEvent(>)  45 

NtOpenKeyedEvent(>)  1 
NtNotifyChangeKey(>)  3 
NtReadFile(>)  14 
NtSetInformationThread(>)  45 

NtOpenProcess(>)  1 
NtReleaseSemaphore(>)  3 
NtUserFindWindowEx(>)  14 
NtFreeVirtualMemory(>)  49 

NtOpenSymbolicLinkObject(>)  1 
NtSetInformationObject(>)  3 
NtCreateKey(>)  15 
NtCreateSection(>)  52 

NtQueryEvent(>)  1 
NtTerminateProcess(>)  3 
NtSetValueKey(>)  15 
NtQueryVirtualMemory(>)  53 

NtQueryObject(>)  1 
NtUserGetDC(>)  3 
NtSetInformationFile(>)  17 
NtUserGetClassInfo(>)  54 

NtQuerySymbolicLinkObject(>)  1 
NtWaitForMultipleObjects(>)  3 
NtFsControlFile(>)  18 
NtOpenSection(>)  56 

NtQuerySystemTime(>)  1 
NtDuplicateObject(>)  4 
NtUserUnregisterClass(>)  19 
NtOpenFile(>)  74 

NtQueryTimerResolution(>)  1 
NtEnumerateKey(>)  4 
NtQueryInformationFile(>)  20 
NtMapViewOfSection(>)  80 

NtSecureConnectPort(>)  1 
NtGdiGetStockObject(>)  5 
NtUserRegisterWindowMessage(>)  22 
NtProtectVirtualMemory(>)  82 

NtSetInformationProcess(>)  1 
NtCreateMutant(>)  6 
NtUserFindExistingCursorIcon(>)  24 
NtSetEvent(>)  92 

NtUserCallNoParam(>)  1 
NtDeviceIoControlFile(>)  6 
NtCreateThread(>)  25 
NtDelayExecution(>)  118 

NtUserGetForegroundWindow(>)  1 
NtOpenEvent(>)  6 
NtFlushInstructionCache(>)  25 
NtQueryAttributesFile(>)  118 

NtUserGetObjectInformation(>)  1 
NtOpenThreadToken(>)  7 
NtQueryInformationThread(>)  25 
NtWaitForSingleObject(>)  141 

NtUserGetProcessWindowStation(>)  1 
NtQueryInformationProcess(>)  7 
NtResumeThread(>)  25 
NtOpenKey(>)  157 

NtUserGetThreadDesktop(>)  1 
NtUserSystemParametersInfo(>)  7 
NtCreateFile(>)  26 
NtAllocateVirtualMemory(>)  222 

NtUserQueryWindow(>)  1 
NtQueryDefaultLocale(>)  9 
NtRegisterThreadTerminatePort(>)  26 
NtClose(>)  318 

NtCreateIoCompletion(>)  2 
NtReleaseMutant(>)  9 
NtTestAlert(>)  26 
NtQueryValueKey(>)  329 

NtGdiCreateSolidBrush(>)  2 
NtCreateSemaphore(>)  10 
NtQuerySection(>)  33 

NtOpenDirectoryObject(>)  2 
NtOpenMutant(>)  10 

Trace:
 00001   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   420   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   420   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   420   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   420   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   420   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   420   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   420   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   420   NtClose  (12, ... ) == 0x0
 00014   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   420   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   420   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   420   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   420   NtClose  (16, ... ) == 0x0
 00021   420   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   420   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   420   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   420   NtClose  (16, ... ) == 0x0
 00026   420   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   420   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   420   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   420   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 416, 420, 1480, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 416, 420, 1480, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 416, 420, 1480, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   420   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   420   NtClose  (16, ... ) == 0x0
 00036   420   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   420   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   420   NtClose  (28, ... ) == 0x0
 00041   420   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   420   NtClose  (28, ... ) == 0x0
 00045   420   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   420   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   420   NtClose  (28, ... ) == 0x0
 00049   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   420   NtClose  (28, ... ) == 0x0
 00052   420   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 416, 420, 1483, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 416, 420, 1483, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 416, 420, 1483, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   420   NtProtectVirtualMemory  (-1, (0x484000), 4096, 4, ... (0x484000), 4096, 8, ) == 0x0
 00057   420   NtProtectVirtualMemory  (-1, (0x484000), 4096, 8, ... (0x484000), 4096, 4, ) == 0x0
 00058   420   NtFlushInstructionCache  (-1, 4734976, 4096, ... ) == 0x0
 00059   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00061   420   NtClose  (28, ... ) == 0x0
 00062   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   420   NtClose  (28, ... ) == 0x0
 00065   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   420   NtClose  (28, ... ) == 0x0
 00068   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00070   420   NtClose  (28, ... ) == 0x0
 00071   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00073   420   NtClose  (28, ... ) == 0x0
 00074   420   NtProtectVirtualMemory  (-1, (0x484000), 4096, 4, ... (0x484000), 4096, 4, ) == 0x0
 00075   420   NtProtectVirtualMemory  (-1, (0x484000), 4096, 4, ... (0x484000), 4096, 4, ) == 0x0
 00076   420   NtFlushInstructionCache  (-1, 4734976, 4096, ... ) == 0x0
 00077   420   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00078   420   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00079   420   NtClose  (28, ... ) == 0x0
 00080   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00081   420   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00082   420   NtClose  (28, ... ) == 0x0
 00083   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00084   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 416, 420, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 416, 420, 1484, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 416, 420, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00085   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x590000), 0x0, 1060864, ) == 0x0
 00087   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00088   420   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   420   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00090   420   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00091   420   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00092   420   NtClose  (-2147482020, ... ) == 0x0
 00093   420   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00094   420   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00095   420   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00096   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00097   420   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   420   NtClose  (-2147482020, ... ) == 0x0
 00099   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00100   420   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   420   NtClose  (-2147482020, ... ) == 0x0
 00102   420   NtQueryDefaultLocale  (0, -128865780, ... ) == 0x0
 00103   420   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00104   420   NtUserCallNoParam  (24, ... ) == 0x0
 00105   420   NtGdiCreateCompatibleDC  (0, ...
 00106   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00105   420   NtGdiCreateCompatibleDC  ... ) == 0x160103c6
 00107   420   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00108   420   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00109   420   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x1105039b
 00110   420   NtGdiCreateSolidBrush  (0, 0, ...
 00111   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10092544, 4096, ) == 0x0
 00110   420   NtGdiCreateSolidBrush  ... ) == 0x131003ce
 00112   420   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00113   420   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00114   420   NtGdiSelectBitmap  (1040253964, 285541275, ... ) == 0x185000f
 00115   420   NtUserGetThreadDesktop  (420, 0, ... ) == 0x28
 00116   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00117   420   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00118   420   NtClose  (48, ... ) == 0x0
 00119   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00120   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00121   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00122   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00123   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00124   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00125   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00126   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00127   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00128   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00129   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00131   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00133   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00135   420   NtAllocateVirtualMemory  (-1, 7041024, 0, 4096, 4096, 32, ... 7041024, 4096, ) == 0x0
 00134   420   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00136   420   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   420   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00138   420   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00139   420   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00140   420   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00141   420   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00142   420   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00143   420   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00144   420   NtCallbackReturn  (0, 0, 0, ...
 00145   420   NtGdiInit  (... ) == 0x1
 00146   420   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00147   420   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00148   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00149   420   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00150   420   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00151   420   NtClose  (48, ... ) == 0x0
 00152   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00153   420   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   420   NtClose  (48, ... ) == 0x0
 00155   420   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00156   420   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00157   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00159   420   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   420   NtClose  (52, ... ) == 0x0
 00161   420   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {416, 0}, ... 52, ) == 0x0
 00162   420   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00163   420   NtClose  (52, ... ) == 0x0
 00164   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00165   420   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00166   420   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00167   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00168   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00169   420   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00170   420   NtClose  (52, ... ) == 0x0
 00171   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00172   420   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00173   420   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00174   420   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   420   NtClose  (56, ... ) == 0x0
 00176   420   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00177   420   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00178   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00179   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00180   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03b
 00181   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00182   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03d
 00183   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00184   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00185   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03f
 00186   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00187   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00188   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc041
 00189   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00190   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00191   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc043
 00192   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00193   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc045
 00194   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00195   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00196   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc047
 00197   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00198   420   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00199   420   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810dc049
 00200   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00201   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00202   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04b
 00203   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00204   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00205   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04d
 00206   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00207   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00208   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04f
 00209   420   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00210   420   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810dc051
 00211   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc053
 00214   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00216   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc055
 00217   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc057
 00218   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00219   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00220   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc059
 00221   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00222   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00223   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05b
 00224   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00225   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00226   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05d
 00227   420   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   420   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   420   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05f
 00230   420   NtTestAlert  (... ) == 0x0
 00231   420   NtContinue  (1244464, 1, ...
 00232   420   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x485014,}, 4, ... ) == 0x0
 00233   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00237   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00238   420   NtContinue  (1244368, 0, ...
 00239   420   NtContinue  (1244336, 0, ...
 00240   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00241   420   NtQueryInformationFile  (56, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00242   420   NtAllocateVirtualMemory  (-1, 0, 0, 926720, 4096, 64, ... 10158080, 929792, ) == 0x0
 00243   420   NtReadFile  (56, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720},  (56, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\233\10S\206\337i=\325\337i=\325\337i=\325\337i<\325]h=\325%J$\325\334i=\325\337i=\325\335i=\325%J\2\325\336i=\325HJx\325\336i=\325%J}\325\334i=\325\5J!\325\16i=\325\5J \325\334i=\325%J\0\325\336i=\325Rich\337i=\325\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0H\7\0\0\336\6\0\0\0\0\0A\242\1\0\0\20\0\0\0\20\7\0\0\0\346w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\16\0\0\4\0\0\222\207\16\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0@!\2\0\210i\0\0\304-\7\0(\0\0\0\0\220\7\0\330^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\15\0\20S\0\0 V\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250f\7\0@\0\0\0\220\2\0\0\34\0\0\0\0\20\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) , ) == 0x0
 00244   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00245   420   NtQueryInformationFile  (60, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00246   420   NtAllocateVirtualMemory  (-1, 0, 0, 561152, 4096, 64, ... 11141120, 561152, ) == 0x0
 00247   420   NtReadFile  (60, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152},  (60, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0cf;e'\7U6'\7U6'\7U6'\7T6`\6U6\335$L6 \7U6'\7U6%\7U6\335$j6&\7U6\260$\206&\7U6\335$\256!\7U6\375$I6U\7U6\335$h6&\7U6Rich'\7U6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\262\5\0\0\340\2\0\0\0\0\0KQ\0\0\0\20\0\0\0P\5\0\0\0\324w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\320\10\0\0\4\0\0\35?\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0pk\1\0\251K\0\0\230\244\5\0P\0\0\0\0\360\5\0\210\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\10\0\270+\0\0\0\300\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\324\4\0\0\300\241\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\08\260\5\0", ) , ) == 0x0
 00248   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00249   420   NtQueryInformationFile  (64, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00250   420   NtAllocateVirtualMemory  (-1, 0, 0, 549888, 4096, 64, ... 11730944, 552960, ) == 0x0
 00251   420   NtReadFile  (64, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888},  (64, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\375\343\244\227\271\202\312\304\271\202\312\304\271\202\312\304C\241\323\304\276\202\312\304\271\202\312\304\273\202\312\304C\241\212\304\275\202\312\304\364\241\326\304\262\202\312\304p\240\340\304\277\202\312\304\271\202\313\304\37\203\312\304C\241\365\304\270\202\312\304.\241\217\304\270\202\312\304c\241\327\304\255\202\312\304c\241\326\304:\202\312\304C\241\367\304\270\202\312\304Rich\271\202\312\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0B\6\0\02\2\0\0\0\0\0\373\34\0\0\0\20\0\0\0 \6\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\10\0\0\4\0\0\305\371\10\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\224\1\0YQ\0\0\204(\6\0P\0\0\0\0\260\6\0h\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\10\0\264D\0\0\330P\6\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0L\0\0\0\0\20\0\0\\6\0\0\360&\6\0`\0\0\0\0\0\0\0", ) , ) == 0x0
 00252   420   NtClose  (64, ... ) == 0x0
 00253   420   NtClose  (60, ... ) == 0x0
 00254   420   NtClose  (56, ... ) == 0x0
 00255   420   NtRaiseException  (1244384, 1243644, 1, ...
 00256   420   NtContinue  (1242440, 0, ...
 00257   420   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00258   420   NtOpenMutant  (0x120001, {24, 56, 0x2, 0, 0,  (0x120001, {24, 56, 0x2, 0, 0, "DBWinMutex"}, ... 60, ) }, ... 60, ) == 0x0
 00259   420   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 00260   420   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   420   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 00262   420   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 12320768, 4096, ) == 0x0
 00263   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == 0x0
 00267   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00268   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00269   420   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00270   420   NtOpenProcessToken  (-1, 0x8, ... 72, ) == 0x0
 00271   420   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00272   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00274   420   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00275   420   NtClose  (76, ... ) == 0x0
 00276   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00277   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00278   420   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00279   420   NtClose  (76, ... ) == 0x0
 00280   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   420   NtClose  (72, ... ) == 0x0
 00282   420   NtClose  (64, ... ) == 0x0
 00283   420   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00284   420   NtClose  (68, ... ) == 0x0
 00285   420   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00286   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00287   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00288   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00289   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 76, ) }, ... 76, ) == 0x0
 00290   420   NtQueryValueKey  (76,  (76, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   420   NtQueryValueKey  (76,  (76, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   420   NtQueryValueKey  (76,  (76, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   420   NtQueryValueKey  (76,  (76, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   420   NtQueryValueKey  (76,  (76, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   420   NtQueryValueKey  (76,  (76, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   420   NtQueryValueKey  (76,  (76, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   420   NtQueryValueKey  (76,  (76, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   420   NtQueryValueKey  (76,  (76, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   420   NtQueryValueKey  (76,  (76, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   420   NtQueryValueKey  (76,  (76, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   420   NtQueryValueKey  (76,  (76, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   420   NtQueryValueKey  (76,  (76, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   420   NtQueryValueKey  (76,  (76, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   420   NtQueryValueKey  (76,  (76, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   420   NtQueryValueKey  (76,  (76, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   420   NtQueryValueKey  (76,  (76, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   420   NtQueryValueKey  (76,  (76, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   420   NtQueryValueKey  (76,  (76, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   420   NtQueryValueKey  (76,  (76, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   420   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00311   420   NtQueryValueKey  (76,  (76, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   420   NtQueryValueKey  (76,  (76, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   420   NtQueryValueKey  (76,  (76, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   420   NtQueryValueKey  (76,  (76, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   420   NtQueryValueKey  (76,  (76, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   420   NtQueryValueKey  (76,  (76, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   420   NtQueryValueKey  (76,  (76, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   420   NtQueryValueKey  (76,  (76, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319   420   NtQueryValueKey  (76,  (76, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   420   NtQueryValueKey  (76,  (76, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   420   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00322   420   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 80, ) }, ... 80, ) == 0x0
 00323   420   NtQueryValueKey  (80,  (80, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00324   420   NtClose  (80, ... ) == 0x0
 00325   420   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00326   420   NtQueryValueKey  (76,  (76, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   420   NtQueryValueKey  (76,  (76, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   420   NtQueryValueKey  (76,  (76, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   420   NtQueryValueKey  (76,  (76, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   420   NtQueryValueKey  (76,  (76, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   420   NtQueryValueKey  (76,  (76, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   420   NtQueryValueKey  (76,  (76, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   420   NtQueryValueKey  (76,  (76, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   420   NtQueryValueKey  (76,  (76, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   420   NtQueryValueKey  (76,  (76, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 00337   420   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 00338   420   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 00339   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 80, {416, 568}, ) == 0x0
 00340   420   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=416,Tid=568,}, 0x0, ) == 0x0
 00341   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (P\0\0\0\240\1\0\08\2\0\0" ... {28, 56, reply, 0, 416, 420, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (P\0\0\0\240\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1496, 0}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (P\0\0\0\240\1\0\08\2\0\0" ... {28, 56, reply, 0, 416, 420, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (P\0\0\0\240\1\0\08\2\0\0" )  ) == 0x0
 00342   420   NtResumeThread  (80, ... 1, ) == 0x0
 00343   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00344   420   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00345   568   NtTestAlert  (... ) == 0x0
 00346   568   NtContinue  (13434160, 1, ...
 00347   568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00348   568   NtDelayExecution  (0, {-150000, -1}, ...
 00349   420   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 00350   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 84, {416, 588}, ) == 0x0
 00351   420   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=416,Tid=588,}, 0x0, ) == 0x0
 00352   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1496, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\240\1\0\0L\2\0\0" ... {28, 56, reply, 0, 416, 420, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\240\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1497, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\240\1\0\0L\2\0\0" ... {28, 56, reply, 0, 416, 420, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\240\1\0\0L\2\0\0" )  ) == 0x0
 00353   420   NtResumeThread  (84, ... 1, ) == 0x0
 00354   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00355   588   NtTestAlert  (... ) == 0x0
 00356   588   NtContinue  (14482736, 1, ...
 00357   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00358   588   NtDelayExecution  (0, {-150000, -1}, ...
 00354   420   NtAllocateVirtualMemory  ... 14483456, 1048576, ) == 0x0
 00359   420   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00360   420   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00361   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 88, {416, 572}, ) == 0x0
 00362   420   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=416,Tid=572,}, 0x0, ) == 0x0
 00363   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1497, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\240\1\0\0<\2\0\0" ... {28, 56, reply, 0, 416, 420, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\240\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1498, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\240\1\0\0<\2\0\0" ... {28, 56, reply, 0, 416, 420, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\240\1\0\0<\2\0\0" )  ) == 0x0
 00364   420   NtResumeThread  (88, ... 1, ) == 0x0
 00365   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00366   420   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00367   572   NtTestAlert  (... ) == 0x0
 00368   572   NtContinue  (15531312, 1, ...
 00369   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00370   572   NtDelayExecution  (0, {-150000, -1}, ...
 00371   420   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 00372   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 92, {416, 580}, ) == 0x0
 00373   420   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=416,Tid=580,}, 0x0, ) == 0x0
 00374   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1498, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\240\1\0\0D\2\0\0" ... {28, 56, reply, 0, 416, 420, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\240\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1499, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\240\1\0\0D\2\0\0" ... {28, 56, reply, 0, 416, 420, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\240\1\0\0D\2\0\0" )  ) == 0x0
 00375   420   NtResumeThread  (92, ... 1, ) == 0x0
 00376   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00377   580   NtTestAlert  (... ) == 0x0
 00378   580   NtContinue  (16579888, 1, ...
 00379   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00380   580   NtDelayExecution  (0, {-150000, -1}, ...
 00376   420   NtAllocateVirtualMemory  ... 16580608, 1048576, ) == 0x0
 00381   420   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ... 17620992, 8192, ) == 0x0
 00382   420   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ... (0x10ce000), 4096, 4, ) == 0x0
 00383   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 96, {416, 584}, ) == 0x0
 00384   420   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=416,Tid=584,}, 0x0, ) == 0x0
 00385   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1499, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\240\1\0\0H\2\0\0" ... {28, 56, reply, 0, 416, 420, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\240\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1500, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\240\1\0\0H\2\0\0" ... {28, 56, reply, 0, 416, 420, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\240\1\0\0H\2\0\0" )  ) == 0x0
 00386   420   NtResumeThread  (96, ... 1, ) == 0x0
 00387   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17629184, 1048576, ) == 0x0
 00388   420   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ... 18669568, 8192, ) == 0x0
 00389   584   NtTestAlert  (... ) == 0x0
 00390   584   NtContinue  (17628464, 1, ...
 00391   584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00392   584   NtDelayExecution  (0, {-150000, -1}, ...
 00393   420   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ... (0x11ce000), 4096, 4, ) == 0x0
 00394   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 100, {416, 576}, ) == 0x0
 00395   420   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=416,Tid=576,}, 0x0, ) == 0x0
 00396   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1500, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\240\1\0\0@\2\0\0" ... {28, 56, reply, 0, 416, 420, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\240\1\0\0@\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1501, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\240\1\0\0@\2\0\0" ... {28, 56, reply, 0, 416, 420, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\240\1\0\0@\2\0\0" )  ) == 0x0
 00397   420   NtResumeThread  (100, ... 1, ) == 0x0
 00398   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00399   576   NtTestAlert  (... ) == 0x0
 00400   576   NtContinue  (18677040, 1, ...
 00401   576   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00402   576   NtDelayExecution  (0, {-150000, -1}, ...
 00398   420   NtAllocateVirtualMemory  ... 18677760, 1048576, ) == 0x0
 00403   420   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00404   420   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00405   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 104, {416, 596}, ) == 0x0
 00406   420   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=416,Tid=596,}, 0x0, ) == 0x0
 00407   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1501, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\240\1\0\0T\2\0\0" ... {28, 56, reply, 0, 416, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\240\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1502, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\240\1\0\0T\2\0\0" ... {28, 56, reply, 0, 416, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\240\1\0\0T\2\0\0" )  ) == 0x0
 00408   420   NtResumeThread  (104, ... 1, ) == 0x0
 00409   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00410   420   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00411   596   NtTestAlert  (... ) == 0x0
 00412   596   NtContinue  (19725616, 1, ...
 00413   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00414   596   NtDelayExecution  (0, {-150000, -1}, ...
 00415   420   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00416   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 108, {416, 636}, ) == 0x0
 00417   420   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=416,Tid=636,}, 0x0, ) == 0x0
 00418   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1502, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\240\1\0\0|\2\0\0" ... {28, 56, reply, 0, 416, 420, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\240\1\0\0|\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1503, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\240\1\0\0|\2\0\0" ... {28, 56, reply, 0, 416, 420, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\240\1\0\0|\2\0\0" )  ) == 0x0
 00419   420   NtResumeThread  (108, ... 1, ) == 0x0
 00420   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00421   636   NtTestAlert  (... ) == 0x0
 00422   636   NtContinue  (20774192, 1, ...
 00423   636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00424   636   NtDelayExecution  (0, {-20010000, -1}, ...
 00420   420   NtCreateEvent  ... 112, ) == 0x0
 00425   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00426   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00427   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00428   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 128, ) == 0x0
 00429   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 00430   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 00431   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00432   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00433   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00434   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 00435   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00436   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00437   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 00438   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 00439   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 00440   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00441   420   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00442   420   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00443   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 176, {416, 728}, ) == 0x0
 00444   420   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=416,Tid=728,}, 0x0, ) == 0x0
 00445   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 10264591, 5487136, 0, 5460787}  (24, {28, 56, new_msg, 0, 10264591, 5487136, 0, 5460787} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\260\0\0\0\240\1\0\0\330\2\0\0" ... {28, 56, reply, 0, 416, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\240\1\0\0\330\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1504, 0}  (24, {28, 56, new_msg, 0, 10264591, 5487136, 0, 5460787} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\260\0\0\0\240\1\0\0\330\2\0\0" ... {28, 56, reply, 0, 416, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\240\1\0\0\330\2\0\0" )  ) == 0x0
 00446   420   NtResumeThread  (176, ... 1, ) == 0x0
 00447   420   NtSetInformationThread  (176, BasePriority, {thread info, class 3, size 4}, 4, ...
 00448   728   NtTestAlert  (... ) == 0x0
 00449   728   NtContinue  (21822768, 1, ...
 00450   728   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00451   728   NtWaitForSingleObject  (112, 0, 0x0, ...
 00447   420   NtSetInformationThread  ... ) == 0x0
 00452   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21823488, 1048576, ) == 0x0
 00453   420   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ... 22863872, 8192, ) == 0x0
 00454   420   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ... (0x15ce000), 4096, 4, ) == 0x0
 00455   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 180, {416, 736}, ) == 0x0
 00456   420   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=416,Tid=736,}, 0x0, ) == 0x0
 00457   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1504, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\240\1\0\0\340\2\0\0" ... {28, 56, reply, 0, 416, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\240\1\0\0\340\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1505, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\240\1\0\0\340\2\0\0" ... {28, 56, reply, 0, 416, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\240\1\0\0\340\2\0\0" )  ) == 0x0
 00458   420   NtResumeThread  (180, ... 1, ) == 0x0
 00459   420   NtSetInformationThread  (180, BasePriority, {thread info, class 3, size 4}, 4, ...
 00460   736   NtTestAlert  (... ) == 0x0
 00461   736   NtContinue  (22871344, 1, ...
 00462   736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00463   736   NtWaitForSingleObject  (116, 0, 0x0, ...
 00459   420   NtSetInformationThread  ... ) == 0x0
 00464   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22872064, 1048576, ) == 0x0
 00465   420   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ... 23912448, 8192, ) == 0x0
 00466   420   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ... (0x16ce000), 4096, 4, ) == 0x0
 00467   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 184, {416, 676}, ) == 0x0
 00468   420   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=416,Tid=676,}, 0x0, ) == 0x0
 00469   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1505, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\240\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 416, 420, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\240\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1506, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\240\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 416, 420, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\240\1\0\0\244\2\0\0" )  ) == 0x0
 00470   420   NtResumeThread  (184, ... 1, ) == 0x0
 00471   420   NtSetInformationThread  (184, BasePriority, {thread info, class 3, size 4}, 4, ...
 00472   676   NtTestAlert  (... ) == 0x0
 00473   676   NtContinue  (23919920, 1, ...
 00474   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00475   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 00471   420   NtSetInformationThread  ... ) == 0x0
 00476   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23920640, 1048576, ) == 0x0
 00477   420   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ... 24961024, 8192, ) == 0x0
 00478   420   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ... (0x17ce000), 4096, 4, ) == 0x0
 00479   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 188, {416, 796}, ) == 0x0
 00480   420   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=416,Tid=796,}, 0x0, ) == 0x0
 00481   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1506, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\240\1\0\0\34\3\0\0" ... {28, 56, reply, 0, 416, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\240\1\0\0\34\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1507, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\240\1\0\0\34\3\0\0" ... {28, 56, reply, 0, 416, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\240\1\0\0\34\3\0\0" )  ) == 0x0
 00482   420   NtResumeThread  (188, ... 1, ) == 0x0
 00483   420   NtSetInformationThread  (188, BasePriority, {thread info, class 3, size 4}, 4, ...
 00484   796   NtTestAlert  (... ) == 0x0
 00485   796   NtContinue  (24968496, 1, ...
 00486   796   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00487   796   NtWaitForSingleObject  (124, 0, 0x0, ...
 00483   420   NtSetInformationThread  ... ) == 0x0
 00488   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 00489   420   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 00490   420   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00491   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 192, {416, 792}, ) == 0x0
 00492   420   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=416,Tid=792,}, 0x0, ) == 0x0
 00493   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1507, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\240\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 416, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\240\1\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1508, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\240\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 416, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\240\1\0\0\30\3\0\0" )  ) == 0x0
 00494   420   NtResumeThread  (192, ... 1, ) == 0x0
 00495   792   NtTestAlert  (... ) == 0x0
 00496   792   NtContinue  (26017072, 1, ...
 00497   792   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00498   792   NtWaitForSingleObject  (128, 0, 0x0, ...
 00499   420   NtSetInformationThread  (192, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00500   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00501   420   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00502   420   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00503   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 196, {416, 712}, ) == 0x0
 00504   420   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=416,Tid=712,}, 0x0, ) == 0x0
 00505   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1508, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\240\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 416, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\240\1\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 416, 420, 1509, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\240\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 416, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\240\1\0\0\310\2\0\0" )  ) == 0x0
 00506   420   NtResumeThread  (196, ... 1, ) == 0x0
 00507   420   NtSetInformationThread  (196, BasePriority, {thread info, class 3, size 4}, 4, ...
 00508   712   NtTestAlert  (... ) == 0x0
 00509   712   NtContinue  (27065648, 1, ...
 00510   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00511   712   NtWaitForSingleObject  (132, 0, 0x0, ...
 00507   420   NtSetInformationThread  ... ) == 0x0
 00512   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27066368, 1048576, ) == 0x0
 00513   420   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 00514   420   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00515   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 200, {416, 840}, ) == 0x0
 00516   420   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=416,Tid=840,}, 0x0, ) == 0x0
 00517   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1509, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\240\1\0\0H\3\0\0" ... {28, 56, reply, 0, 416, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\240\1\0\0H\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1510, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\240\1\0\0H\3\0\0" ... {28, 56, reply, 0, 416, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\240\1\0\0H\3\0\0" )  ) == 0x0
 00518   420   NtResumeThread  (200, ... 1, ) == 0x0
 00519   420   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ...
 00520   840   NtTestAlert  (... ) == 0x0
 00521   840   NtContinue  (28114224, 1, ...
 00522   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00523   840   NtWaitForSingleObject  (136, 0, 0x0, ...
 00519   420   NtSetInformationThread  ... ) == 0x0
 00524   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00525   420   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 00526   420   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 00527   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 204, {416, 860}, ) == 0x0
 00528   420   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=416,Tid=860,}, 0x0, ) == 0x0
 00529   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1510, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\240\1\0\0\\3\0\0" ... {28, 56, reply, 0, 416, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\240\1\0\0\\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1511, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\240\1\0\0\\3\0\0" ... {28, 56, reply, 0, 416, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\240\1\0\0\\3\0\0" )  ) == 0x0
 00530   420   NtResumeThread  (204, ... 1, ) == 0x0
 00531   420   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 00532   860   NtTestAlert  (... ) == 0x0
 00533   860   NtContinue  (29162800, 1, ...
 00534   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00535   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00531   420   NtSetInformationThread  ... ) == 0x0
 00536   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 00537   420   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 00538   420   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 00539   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 208, {416, 864}, ) == 0x0
 00540   420   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=416,Tid=864,}, 0x0, ) == 0x0
 00541   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1511, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\240\1\0\0`\3\0\0" ... {28, 56, reply, 0, 416, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\240\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1512, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\240\1\0\0`\3\0\0" ... {28, 56, reply, 0, 416, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\240\1\0\0`\3\0\0" )  ) == 0x0
 00542   420   NtResumeThread  (208, ... 1, ) == 0x0
 00543   420   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ...
 00544   864   NtTestAlert  (... ) == 0x0
 00545   864   NtContinue  (30211376, 1, ...
 00546   864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00547   864   NtWaitForSingleObject  (144, 0, 0x0, ...
 00543   420   NtSetInformationThread  ... ) == 0x0
 00548   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 00549   420   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 00550   420   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 00551   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 212, {416, 868}, ) == 0x0
 00552   420   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=416,Tid=868,}, 0x0, ) == 0x0
 00553   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1512, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\240\1\0\0d\3\0\0" ... {28, 56, reply, 0, 416, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\240\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1513, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\240\1\0\0d\3\0\0" ... {28, 56, reply, 0, 416, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\240\1\0\0d\3\0\0" )  ) == 0x0
 00554   420   NtResumeThread  (212, ... 1, ) == 0x0
 00555   420   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 00556   868   NtTestAlert  (... ) == 0x0
 00557   868   NtContinue  (31259952, 1, ...
 00558   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00559   868   NtWaitForSingleObject  (148, 0, 0x0, ...
 00555   420   NtSetInformationThread  ... ) == 0x0
 00560   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 00561   420   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 00562   420   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 00563   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 216, {416, 872}, ) == 0x0
 00564   420   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=416,Tid=872,}, 0x0, ) == 0x0
 00565   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1513, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\240\1\0\0h\3\0\0" ... {28, 56, reply, 0, 416, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\240\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1514, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\240\1\0\0h\3\0\0" ... {28, 56, reply, 0, 416, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\240\1\0\0h\3\0\0" )  ) == 0x0
 00566   420   NtResumeThread  (216, ... 1, ) == 0x0
 00567   872   NtTestAlert  (... ) == 0x0
 00568   872   NtContinue  (32308528, 1, ...
 00569   872   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00570   872   NtWaitForSingleObject  (152, 0, 0x0, ...
 00571   420   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00572   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 00573   420   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 00574   420   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 00575   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 220, {416, 876}, ) == 0x0
 00576   420   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=416,Tid=876,}, 0x0, ) == 0x0
 00577   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1514, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\240\1\0\0l\3\0\0" ... {28, 56, reply, 0, 416, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\240\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1515, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\240\1\0\0l\3\0\0" ... {28, 56, reply, 0, 416, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\240\1\0\0l\3\0\0" )  ) == 0x0
 00578   420   NtResumeThread  (220, ... 1, ) == 0x0
 00579   420   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ...
 00580   876   NtTestAlert  (... ) == 0x0
 00581   876   NtContinue  (33357104, 1, ...
 00582   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00583   876   NtWaitForSingleObject  (156, 0, 0x0, ...
 00579   420   NtSetInformationThread  ... ) == 0x0
 00584   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 00585   420   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 00586   420   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 00587   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 224, {416, 880}, ) == 0x0
 00588   420   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=416,Tid=880,}, 0x0, ) == 0x0
 00589   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1515, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\240\1\0\0p\3\0\0" ... {28, 56, reply, 0, 416, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\240\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1516, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\240\1\0\0p\3\0\0" ... {28, 56, reply, 0, 416, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\240\1\0\0p\3\0\0" )  ) == 0x0
 00590   420   NtResumeThread  (224, ... 1, ) == 0x0
 00591   420   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ...
 00592   880   NtTestAlert  (... ) == 0x0
 00593   880   NtContinue  (34405680, 1, ...
 00594   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00595   880   NtWaitForSingleObject  (160, 0, 0x0, ...
 00591   420   NtSetInformationThread  ... ) == 0x0
 00596   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 00597   420   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 00598   420   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 00599   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 228, {416, 884}, ) == 0x0
 00600   420   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=416,Tid=884,}, 0x0, ) == 0x0
 00601   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1516, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\240\1\0\0t\3\0\0" ... {28, 56, reply, 0, 416, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\240\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1517, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\240\1\0\0t\3\0\0" ... {28, 56, reply, 0, 416, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\240\1\0\0t\3\0\0" )  ) == 0x0
 00602   420   NtResumeThread  (228, ... 1, ) == 0x0
 00603   420   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 00604   884   NtTestAlert  (... ) == 0x0
 00605   884   NtContinue  (35454256, 1, ...
 00606   884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00607   884   NtWaitForSingleObject  (164, 0, 0x0, ...
 00603   420   NtSetInformationThread  ... ) == 0x0
 00608   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 00609   420   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ... 36495360, 8192, ) == 0x0
 00610   420   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ... (0x22ce000), 4096, 4, ) == 0x0
 00611   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 232, {416, 888}, ) == 0x0
 00612   420   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=416,Tid=888,}, 0x0, ) == 0x0
 00613   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1517, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\240\1\0\0x\3\0\0" ... {28, 56, reply, 0, 416, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\240\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1518, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\240\1\0\0x\3\0\0" ... {28, 56, reply, 0, 416, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\240\1\0\0x\3\0\0" )  ) == 0x0
 00614   420   NtResumeThread  (232, ... 1, ) == 0x0
 00615   420   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 00616   888   NtTestAlert  (... ) == 0x0
 00617   888   NtContinue  (36502832, 1, ...
 00618   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00619   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00615   420   NtSetInformationThread  ... ) == 0x0
 00620   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36503552, 1048576, ) == 0x0
 00621   420   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ... 37543936, 8192, ) == 0x0
 00622   420   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ... (0x23ce000), 4096, 4, ) == 0x0
 00623   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 236, {416, 892}, ) == 0x0
 00624   420   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=416,Tid=892,}, 0x0, ) == 0x0
 00625   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 416, 420, 1518, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\240\1\0\0|\3\0\0" ... {28, 56, reply, 0, 416, 420, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\240\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1519, 0}  (24, {28, 56, new_msg, 0, 416, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\240\1\0\0|\3\0\0" ... {28, 56, reply, 0, 416, 420, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\240\1\0\0|\3\0\0" )  ) == 0x0
 00626   420   NtResumeThread  (236, ... 1, ) == 0x0
 00627   420   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 00628   892   NtTestAlert  (... ) == 0x0
 00629   892   NtContinue  (37551408, 1, ...
 00630   892   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00631   892   NtWaitForSingleObject  (172, 0, 0x0, ...
 00627   420   NtSetInformationThread  ... ) == 0x0
 00632   420   NtSetEvent  (156, ...
 00583   876   NtWaitForSingleObject  ... ) == 0x0
 00633   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00634   876   NtWaitForSingleObject  (156, 0, 0x0, ...
 00632   420   NtSetEvent  ... 0x0, ) == 0x0
 00635   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00636   420   NtSetEvent  (120, ...
 00475   676   NtWaitForSingleObject  ... ) == 0x0
 00637   676   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00638   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 00636   420   NtSetEvent  ... 0x0, ) == 0x0
 00639   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00640   420   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 00641   420   NtSetEvent  (168, ...
 00619   888   NtWaitForSingleObject  ... ) == 0x0
 00642   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00643   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00641   420   NtSetEvent  ... 0x0, ) == 0x0
 00644   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00645   420   NtSetEvent  (140, ...
 00535   860   NtWaitForSingleObject  ... ) == 0x0
 00646   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00647   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00645   420   NtSetEvent  ... 0x0, ) == 0x0
 00648   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00649   420   NtSetEvent  (164, ...
 00607   884   NtWaitForSingleObject  ... ) == 0x0
 00650   884   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00651   884   NtWaitForSingleObject  (164, 0, 0x0, ...
 00649   420   NtSetEvent  ... 0x0, ) == 0x0
 00652   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00653   420   NtSetEvent  (124, ...
 00487   796   NtWaitForSingleObject  ... ) == 0x0
 00654   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00655   796   NtWaitForSingleObject  (124, 0, 0x0, ...
 00653   420   NtSetEvent  ... 0x0, ) == 0x0
 00656   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00657   420   NtUserGetForegroundWindow  (... ) == 0x2005c
 00658   420   NtUserQueryWindow  (131164, 0, ... ) == 0x7f0
 00659   420   NtSetEvent  (124, ...
 00655   796   NtWaitForSingleObject  ... ) == 0x0
 00660   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00661   796   NtWaitForSingleObject  (124, 0, 0x0, ...
 00659   420   NtSetEvent  ... 0x0, ) == 0x0
 00662   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00663   420   NtSetEvent  (152, ...
 00570   872   NtWaitForSingleObject  ... ) == 0x0
 00664   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00665   872   NtWaitForSingleObject  (152, 0, 0x0, ...
 00663   420   NtSetEvent  ... 0x0, ) == 0x0
 00666   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00667   420   NtSetEvent  (124, ...
 00661   796   NtWaitForSingleObject  ... ) == 0x0
 00668   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00669   796   NtWaitForSingleObject  (124, 0, 0x0, ...
 00667   420   NtSetEvent  ... 0x0, ) == 0x0
 00670   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00671   420   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00672   420   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00673   420   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00674   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00675   420   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00676   420   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 240, ) == 0x0
 00348   568   NtDelayExecution  ... ) == 0x0
 00358   588   NtDelayExecution  ... ) == 0x0
 00370   572   NtDelayExecution  ... ) == 0x0
 00380   580   NtDelayExecution  ... ) == 0x0
 00392   584   NtDelayExecution  ... ) == 0x0
 00402   576   NtDelayExecution  ... ) == 0x0
 00414   596   NtDelayExecution  ... ) == 0x0
 00677   568   NtDelayExecution  (0, {-20010000, -1}, ...
 00678   588   NtDelayExecution  (0, {-20010000, -1}, ...
 00679   572   NtContinue  (15531236, 0, ...
 00680   580   NtDelayExecution  (0, {-20010000, -1}, ...
 00681   584   NtDelayExecution  (0, {-20010000, -1}, ...
 00682   576   NtDelayExecution  (0, {-20010000, -1}, ...
 00683   596   NtDelayExecution  (0, {-20010000, -1}, ...
 00684   572   NtDelayExecution  (0, {-20010000, -1}, ...
 00685   420   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x23e0000), 0x0, 4194304, ) == 0x0
 00686   420   NtAllocateVirtualMemory  (-1, 37617664, 0, 1, 4096, 4, ... 37617664, 4096, ) == 0x0
 00687   420   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 244, ) == 0x0
 00688   420   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x27e0000), 0x0, 4194304, ) == 0x0
 00689   420   NtAllocateVirtualMemory  (-1, 41811968, 0, 1, 4096, 4, ... 41811968, 4096, ) == 0x0
 00690   420   NtCreateSection  (0xf0007, 0x0, {29444, 0}, 4, 134217728, 0, ... 248, ) == 0x0
 00691   420   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2be0000), {0, 0}, 32768, ) == 0x0
 00692   420   NtUnmapViewOfSection  (-1, 0x2be0000, ... ) == 0x0
 00693   420   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2be0000), {0, 0}, 32768, ) == 0x0
 00694   420   NtClose  (244, ... ) == 0x0
 00695   420   NtUnmapViewOfSection  (-1, 0x27e0000, ... ) == 0x0
 00696   420   NtClose  (240, ... ) == 0x0
 00697   420   NtUnmapViewOfSection  (-1, 0x23e0000, ... ) == 0x0
 00698   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00699   420   NtUnmapViewOfSection  (-1, 0x2be0000, ... ) == 0x0
 00700   420   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x23d0000), {0, 0}, 32768, ) == 0x0
 00701   420   NtUnmapViewOfSection  (-1, 0x23d0000, ... ) == 0x0
 00702   420   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x23d0000), {0, 0}, 32768, ) == 0x0
 00703   420   NtUnmapViewOfSection  (-1, 0x23d0000, ... ) == 0x0
 00704   420   NtSetEvent  (124, ...
 00669   796   NtWaitForSingleObject  ... ) == 0x0
 00705   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00706   796   NtWaitForSingleObject  (124, 0, 0x0, ...
 00704   420   NtSetEvent  ... 0x0, ) == 0x0
 00707   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00708   420   NtSetEvent  (132, ...
 00511   712   NtWaitForSingleObject  ... ) == 0x0
 00709   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00710   712   NtWaitForSingleObject  (132, 0, 0x0, ...
 00708   420   NtSetEvent  ... 0x0, ) == 0x0
 00711   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00712   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00713   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00714   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00715   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00716   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00717   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00718   420   NtContinue  (1243040, 0, ...
 00719   420   NtSetEvent  (132, ...
 00710   712   NtWaitForSingleObject  ... ) == 0x0
 00720   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00721   712   NtWaitForSingleObject  (132, 0, 0x0, ...
 00719   420   NtSetEvent  ... 0x0, ) == 0x0
 00722   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00723   420   NtSetEvent  (112, ...
 00451   728   NtWaitForSingleObject  ... ) == 0x0
 00724   728   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00725   728   NtWaitForSingleObject  (112, 0, 0x0, ...
 00723   420   NtSetEvent  ... 0x0, ) == 0x0
 00726   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00727   420   NtSetEvent  (160, ...
 00595   880   NtWaitForSingleObject  ... ) == 0x0
 00728   880   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00729   880   NtWaitForSingleObject  (160, 0, 0x0, ...
 00727   420   NtSetEvent  ... 0x0, ) == 0x0
 00730   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00731   420   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00732   420   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00733   420   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00734   420   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00735   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00736   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00737   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00738   420   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 37552128, 4096, ) == 0x0
 00739   420   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00740   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 4096, ) == 0x0
 00741   420   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00742   420   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00743   420   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00744   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00745   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00746   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00747   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00748   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00749   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00750   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 37552128, 65536, ) == 0x0
 00751   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00752   420   NtFreeVirtualMemory  (-1, (0x23d0000), 0, 32768, ... (0x23d0000), 65536, ) == 0x0
 00753   420   NtSetEvent  (140, ...
 00647   860   NtWaitForSingleObject  ... ) == 0x0
 00754   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00755   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00753   420   NtSetEvent  ... 0x0, ) == 0x0
 00756   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00757   420   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   420   NtSetEvent  (136, ...
 00523   840   NtWaitForSingleObject  ... ) == 0x0
 00759   840   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00760   840   NtWaitForSingleObject  (136, 0, 0x0, ...
 00758   420   NtSetEvent  ... 0x0, ) == 0x0
 00761   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00762   420   NtSetEvent  (116, ...
 00463   736   NtWaitForSingleObject  ... ) == 0x0
 00763   736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00764   736   NtWaitForSingleObject  (116, 0, 0x0, ...
 00762   420   NtSetEvent  ... 0x0, ) == 0x0
 00765   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00766   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work"}, 3, 33, ... 240, {status=0x0, info=1}, ) }, 3, 33, ... 240, {status=0x0, info=1}, ) == 0x0
 00767   420   NtQueryVolumeInformationFile  (240, 1244908, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00768   420   NtClose  (12, ... ) == 0x0
 00769   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 37552128, 4096, ) == 0x0
 00770   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 12, ) }, ... 12, ) == 0x0
 00771   420   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00772   420   NtClose  (12, ... ) == 0x0
 00773   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 12, ) }, ... 12, ) == 0x0
 00774   420   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00775   420   NtClose  (12, ... ) == 0x0
 00776   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 12, ) }, ... 12, ) == 0x0
 00777   420   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00778   420   NtClose  (12, ... ) == 0x0
 00779   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00780   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 37617664, 65536, ) == 0x0
 00781   420   NtAllocateVirtualMemory  (-1, 37617664, 0, 4096, 4096, 4, ... 37617664, 4096, ) == 0x0
 00782   420   NtAllocateVirtualMemory  (-1, 37621760, 0, 8192, 4096, 4, ... 37621760, 8192, ) == 0x0
 00783   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 12, ) }, ... 12, ) == 0x0
 00784   420   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x23f0000), 0x0, 12288, ) == 0x0
 00785   420   NtClose  (12, ... ) == 0x0
 00786   420   NtAllocateVirtualMemory  (-1, 37629952, 0, 4096, 4096, 4, ... 37629952, 4096, ) == 0x0
 00787   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00788   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00789   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 12, ) }, ... 12, ) == 0x0
 00790   420   NtQueryValueKey  (12,  (12, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (12, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00791   420   NtClose  (12, ... ) == 0x0
 00792   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00793   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00794   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00795   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00796   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 12, ) }, ... 12, ) == 0x0
 00797   420   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   420   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   420   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   420   NtClose  (12, ... ) == 0x0
 00801   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 12, ) }, ... 12, ) == 0x0
 00802   420   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   420   NtQueryValueKey  (12,  (12, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   420   NtClose  (12, ... ) == 0x0
 00805   420   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806   420   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00807   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   420   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00811   420   NtQueryVolumeInformationFile  (12, 1244912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00812   420   NtClose  (240, ... ) == 0x0
 00813   420   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 37748736, 200704, ) == 0x0
 00814   420   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 38010880, 4096, ) == 0x0
 00815   420   NtSetEvent  (140, ...
 00755   860   NtWaitForSingleObject  ... ) == 0x0
 00816   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00817   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00815   420   NtSetEvent  ... 0x0, ) == 0x0
 00818   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00819   420   NtSetEvent  (168, ...
 00643   888   NtWaitForSingleObject  ... ) == 0x0
 00820   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00821   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00819   420   NtSetEvent  ... 0x0, ) == 0x0
 00822   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00823   420   NtSetEvent  (168, ...
 00821   888   NtWaitForSingleObject  ... ) == 0x0
 00824   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00825   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00823   420   NtSetEvent  ... 0x0, ) == 0x0
 00826   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00827   420   NtSetEvent  (156, ...
 00634   876   NtWaitForSingleObject  ... ) == 0x0
 00828   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00829   876   NtWaitForSingleObject  (156, 0, 0x0, ...
 00827   420   NtSetEvent  ... 0x0, ) == 0x0
 00830   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00831   420   NtSetEvent  (140, ...
 00817   860   NtWaitForSingleObject  ... ) == 0x0
 00832   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00833   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00831   420   NtSetEvent  ... 0x0, ) == 0x0
 00834   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00835   420   NtSetEvent  (128, ...
 00498   792   NtWaitForSingleObject  ... ) == 0x0
 00836   792   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00837   792   NtWaitForSingleObject  (128, 0, 0x0, ...
 00835   420   NtSetEvent  ... 0x0, ) == 0x0
 00838   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00839   420   NtSetEvent  (164, ...
 00651   884   NtWaitForSingleObject  ... ) == 0x0
 00840   884   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00841   884   NtWaitForSingleObject  (164, 0, 0x0, ...
 00839   420   NtSetEvent  ... 0x0, ) == 0x0
 00842   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00843   420   NtSetEvent  (168, ...
 00825   888   NtWaitForSingleObject  ... ) == 0x0
 00844   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00845   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00843   420   NtSetEvent  ... 0x0, ) == 0x0
 00846   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00847   420   NtSetEvent  (144, ...
 00547   864   NtWaitForSingleObject  ... ) == 0x0
 00848   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00849   864   NtWaitForSingleObject  (144, 0, 0x0, ...
 00847   420   NtSetEvent  ... 0x0, ) == 0x0
 00850   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00851   420   NtSetEvent  (160, ...
 00729   880   NtWaitForSingleObject  ... ) == 0x0
 00852   880   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00853   880   NtWaitForSingleObject  (160, 0, 0x0, ...
 00851   420   NtSetEvent  ... 0x0, ) == 0x0
 00854   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00855   420   NtSetEvent  (112, ...
 00725   728   NtWaitForSingleObject  ... ) == 0x0
 00856   728   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00857   728   NtWaitForSingleObject  (112, 0, 0x0, ...
 00855   420   NtSetEvent  ... 0x0, ) == 0x0
 00858   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00859   420   NtSetEvent  (136, ...
 00760   840   NtWaitForSingleObject  ... ) == 0x0
 00860   840   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00861   840   NtWaitForSingleObject  (136, 0, 0x0, ...
 00859   420   NtSetEvent  ... 0x0, ) == 0x0
 00862   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00863   420   NtSetEvent  (168, ...
 00845   888   NtWaitForSingleObject  ... ) == 0x0
 00864   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00865   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00863   420   NtSetEvent  ... 0x0, ) == 0x0
 00866   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00867   420   NtSetEvent  (132, ...
 00721   712   NtWaitForSingleObject  ... ) == 0x0
 00868   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00869   712   NtWaitForSingleObject  (132, 0, 0x0, ...
 00867   420   NtSetEvent  ... 0x0, ) == 0x0
 00870   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00871   420   NtSetEvent  (112, ...
 00857   728   NtWaitForSingleObject  ... ) == 0x0
 00872   728   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00873   728   NtWaitForSingleObject  (112, 0, 0x0, ...
 00871   420   NtSetEvent  ... 0x0, ) == 0x0
 00874   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00875   420   NtProtectVirtualMemory  (-1, (0x401000), 52696, 64, ... (0x401000), 53248, 8, ) == 0x0
 00876   420   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00877   420   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00878   420   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00879   420   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00880   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 38076416, 65536, ) == 0x0
 00881   420   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00882   420   NtFreeVirtualMemory  (-1, (0x2450000), 0, 32768, ... (0x2450000), 65536, ) == 0x0
 00883   420   NtSetEvent  (120, ...
 00638   676   NtWaitForSingleObject  ... ) == 0x0
 00884   676   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00885   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 00883   420   NtSetEvent  ... 0x0, ) == 0x0
 00886   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00887   420   NtSetEvent  (160, ...
 00853   880   NtWaitForSingleObject  ... ) == 0x0
 00888   880   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00889   880   NtWaitForSingleObject  (160, 0, 0x0, ...
 00887   420   NtSetEvent  ... 0x0, ) == 0x0
 00890   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00891   420   NtAllocateVirtualMemory  (-1, 0, 0, 532480, 4096, 4, ... 38076416, 532480, ) == 0x0
 00892   420   NtFreeVirtualMemory  (-1, (0x2450000), 0, 32768, ... (0x2450000), 532480, ) == 0x0
 00893   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38076416, 1048576, ) == 0x0
 00894   420   NtAllocateVirtualMemory  (-1, 39116800, 0, 8192, 4096, 4, ... 39116800, 8192, ) == 0x0
 00895   420   NtProtectVirtualMemory  (-1, (0x254e000), 4096, 260, ... (0x254e000), 4096, 4, ) == 0x0
 00896   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244208, 1244924, 1, ... 240, {416, 896}, ) == 0x0
 00897   420   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=416,Tid=896,}, 0x0, ) == 0x0
 00898   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243932, 34}  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243932, 34} "\0\0\0\0\1\0\1\07(\365w\240o\374w\360\0\0\0\240\1\0\0\200\3\0\0" ... {28, 56, reply, 0, 416, 420, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\240o\374w\360\0\0\0\240\1\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 416, 420, 1520, 0}  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243932, 34} "\0\0\0\0\1\0\1\07(\365w\240o\374w\360\0\0\0\240\1\0\0\200\3\0\0" ... {28, 56, reply, 0, 416, 420, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\240o\374w\360\0\0\0\240\1\0\0\200\3\0\0" )  ) == 0x0
 00899   420   NtResumeThread  (240, ... 1, ) == 0x0
 00900   420   NtSetEvent  (168, ...
 00901   896   NtTestAlert  (... ) == 0x0
 00902   896   NtContinue  (39124272, 1, ...
 00903   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00904   896   NtDelayExecution  (0, {-40000000, -1}, ...
 00865   888   NtWaitForSingleObject  ... ) == 0x0
 00905   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00906   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00900   420   NtSetEvent  ... 0x0, ) == 0x0
 00907   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00908   420   NtSetEvent  (112, ...
 00873   728   NtWaitForSingleObject  ... ) == 0x0
 00909   728   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00910   728   NtWaitForSingleObject  (112, 0, 0x0, ...
 00908   420   NtSetEvent  ... 0x0, ) == 0x0
 00911   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00912   420   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00913   420   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00914   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 39124992, 4096, ) == 0x0
 00915   420   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 39190528, 8192, ) == 0x0
 00916   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 39256064, 65536, ) == 0x0
 00917   420   NtAllocateVirtualMemory  (-1, 0, 0, 2928, 4096, 4, ... 39321600, 4096, ) == 0x0
 00918   420   NtAllocateVirtualMemory  (-1, 0, 0, 1899, 4096, 64, ... 39387136, 4096, ) == 0x0
 00919   420   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00920   420   NtAllocateVirtualMemory  (-1, 0, 0, 1584, 4096, 4, ... 39321600, 4096, ) == 0x0
 00921   420   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00922   420   NtAllocateVirtualMemory  (-1, 0, 0, 3316, 4096, 4, ... 39321600, 4096, ) == 0x0
 00923   420   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00924   420   NtAllocateVirtualMemory  (-1, 0, 0, 3712, 4096, 4, ... 39321600, 4096, ) == 0x0
 00925   420   NtAllocateVirtualMemory  (-1, 0, 0, 979, 4096, 64, ... 39452672, 4096, ) == 0x0
 00926   420   NtAllocateVirtualMemory  (-1, 0, 0, 1752, 4096, 64, ... 39518208, 4096, ) == 0x0
 00927   420   NtAllocateVirtualMemory  (-1, 0, 0, 6930, 4096, 64, ... 39583744, 8192, ) == 0x0
 00928   420   NtAllocateVirtualMemory  (-1, 0, 0, 3944, 4096, 64, ... 39649280, 4096, ) == 0x0
 00929   420   NtAllocateVirtualMemory  (-1, 0, 0, 2879, 4096, 64, ... 39714816, 4096, ) == 0x0
 00930   420   NtAllocateVirtualMemory  (-1, 0, 0, 2236, 4096, 64, ... 39780352, 4096, ) == 0x0
 00931   420   NtAllocateVirtualMemory  (-1, 0, 0, 2114, 4096, 64, ... 39845888, 4096, ) == 0x0
 00932   420   NtAllocateVirtualMemory  (-1, 0, 0, 1099, 4096, 64, ... 39911424, 4096, ) == 0x0
 00933   420   NtAllocateVirtualMemory  (-1, 0, 0, 2825, 4096, 64, ... 39976960, 4096, ) == 0x0
 00934   420   NtAllocateVirtualMemory  (-1, 0, 0, 1679, 4096, 64, ... 40042496, 4096, ) == 0x0
 00935   420   NtAllocateVirtualMemory  (-1, 0, 0, 8261, 4096, 64, ... 40108032, 12288, ) == 0x0
 00936   420   NtAllocateVirtualMemory  (-1, 0, 0, 1715, 4096, 64, ... 40173568, 4096, ) == 0x0
 00937   420   NtAllocateVirtualMemory  (-1, 0, 0, 3857, 4096, 64, ... 40239104, 4096, ) == 0x0
 00938   420   NtAllocateVirtualMemory  (-1, 0, 0, 713, 4096, 64, ... 40304640, 4096, ) == 0x0
 00939   420   NtAllocateVirtualMemory  (-1, 0, 0, 1438, 4096, 64, ... 40370176, 4096, ) == 0x0
 00940   420   NtAllocateVirtualMemory  (-1, 0, 0, 1413, 4096, 64, ... 40435712, 4096, ) == 0x0
 00941   420   NtAllocateVirtualMemory  (-1, 0, 0, 2421, 4096, 64, ... 40501248, 4096, ) == 0x0
 00942   420   NtAllocateVirtualMemory  (-1, 0, 0, 1941, 4096, 64, ... 40566784, 4096, ) == 0x0
 00943   420   NtAllocateVirtualMemory  (-1, 0, 0, 5810, 4096, 64, ... 40632320, 8192, ) == 0x0
 00944   420   NtAllocateVirtualMemory  (-1, 0, 0, 614, 4096, 64, ... 40697856, 4096, ) == 0x0
 00945   420   NtAllocateVirtualMemory  (-1, 0, 0, 1120, 4096, 64, ... 40763392, 4096, ) == 0x0
 00946   420   NtAllocateVirtualMemory  (-1, 0, 0, 1760, 4096, 64, ... 40828928, 4096, ) == 0x0
 00947   420   NtAllocateVirtualMemory  (-1, 0, 0, 2883, 4096, 64, ... 40894464, 4096, ) == 0x0
 00948   420   NtAllocateVirtualMemory  (-1, 0, 0, 3314, 4096, 64, ... 40960000, 4096, ) == 0x0
 00949   420   NtAllocateVirtualMemory  (-1, 0, 0, 279, 4096, 64, ... 41025536, 4096, ) == 0x0
 00950   420   NtAllocateVirtualMemory  (-1, 0, 0, 4374, 4096, 64, ... 41091072, 8192, ) == 0x0
 00951   420   NtAllocateVirtualMemory  (-1, 0, 0, 1804, 4096, 64, ... 41156608, 4096, ) == 0x0
 00952   420   NtAllocateVirtualMemory  (-1, 0, 0, 2671, 4096, 64, ... 41222144, 4096, ) == 0x0
 00953   420   NtFreeVirtualMemory  (-1, (0x2580000), 0, 32768, ... (0x2580000), 4096, ) == 0x0
 00954   420   NtFreeVirtualMemory  (-1, (0x2400000), 0, 32768, ... (0x2400000), 200704, ) == 0x0
 00955   420   NtFreeVirtualMemory  (-1, (0x2440000), 0, 32768, ... (0x2440000), 4096, ) == 0x0
 00956   420   NtFreeVirtualMemory  (-1, (0x2560000), 0, 32768, ... (0x2560000), 8192, ) == 0x0
 00957   420   NtFreeVirtualMemory  (-1, (0x2570000), 0, 32768, ... (0x2570000), 65536, ) == 0x0
 00958   420   NtFreeVirtualMemory  (-1, (0x2550000), 0, 32768, ... (0x2550000), 4096, ) == 0x0
 00959   420   NtSetEvent  (140, ...
 00833   860   NtWaitForSingleObject  ... ) == 0x0
 00960   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00961   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00959   420   NtSetEvent  ... 0x0, ) == 0x0
 00962   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00963   420   NtSetEvent  (116, ...
 00764   736   NtWaitForSingleObject  ... ) == 0x0
 00964   736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00965   736   NtWaitForSingleObject  (116, 0, 0x0, ...
 00963   420   NtSetEvent  ... 0x0, ) == 0x0
 00966   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00967   420   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00968   420   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00969   420   NtSetEvent  (152, ...
 00665   872   NtWaitForSingleObject  ... ) == 0x0
 00970   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00971   872   NtWaitForSingleObject  (152, 0, 0x0, ...
 00969   420   NtSetEvent  ... 0x0, ) == 0x0
 00972   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00973   420   NtSetEvent  (140, ...
 00961   860   NtWaitForSingleObject  ... ) == 0x0
 00974   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00975   860   NtWaitForSingleObject  (140, 0, 0x0, ...
 00973   420   NtSetEvent  ... 0x0, ) == 0x0
 00976   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00977   420   NtSetEvent  (124, ...
 00706   796   NtWaitForSingleObject  ... ) == 0x0
 00978   796   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00979   796   NtWaitForSingleObject  (124, 0, 0x0, ...
 00977   420   NtSetEvent  ... 0x0, ) == 0x0
 00980   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00981   420   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00982   420   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00983   420   NtSetEvent  (168, ...
 00906   888   NtWaitForSingleObject  ... ) == 0x0
 00984   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00985   888   NtWaitForSingleObject  (168, 0, 0x0, ...
 00983   420   NtSetEvent  ... 0x0, ) == 0x0
 00986   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00987   420   NtSetEvent  (152, ...
 00971   872   NtWaitForSingleObject  ... ) == 0x0
 00988   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00989   872   NtWaitForSingleObject  (152, 0, 0x0, ...
 00987   420   NtSetEvent  ... 0x0, ) == 0x0
 00990   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00991   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ws2_32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 00995   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 00996   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 252, ) == 0x0
 00997   420   NtQuerySection  (252, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00998   420   NtClose  (244, ... ) == 0x0
 00999   420   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 01000   420   NtClose  (252, ... ) == 0x0
 01001   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241204, ... ) }, 1241204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241204, ... ) }, 1241204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241204, ... ) }, 1241204, ... ) == 0x0
 01005   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 01006   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 244, ) == 0x0
 01007   420   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01008   420   NtClose  (252, ... ) == 0x0
 01009   420   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 01010   420   NtClose  (244, ... ) == 0x0
 01011   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01012   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01013   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01014   420   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01015   420   NtClose  (244, ... ) == 0x0
 01016   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01017   420   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 01018   420   NtClose  (244, ... ) == 0x0
 01019   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01020   420   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01021   420   NtClose  (244, ... ) == 0x0
 01022   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01023   420   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01024   420   NtClose  (244, ... ) == 0x0
 01025   420   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   420   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 01028   420   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 01029   420   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01030   420   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01031   420   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1242140, 0,  (0x1f0003, {24, 56, 0x80, 1242140, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01032   420   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 244, ) }, ... 244, ) == 0x0
 01033   420   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01034   420   NtCreateKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 252, 2, ) }, 0, 0x0, 0, ... 252, 2, ) == 0x0
 01035   420   NtQueryDefaultUILanguage  (1240376, ...
 01036   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01037   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01038   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01039   420   NtClose  (-2147482020, ... ) == 0x0
 01040   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01041   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01043   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   420   NtClose  (-2147482032, ... ) == 0x0
 01045   420   NtClose  (-2147482020, ... ) == 0x0
 01035   420   NtQueryDefaultUILanguage  ... ) == 0x0
 01046   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   420   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 01048   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 256, {status=0x0, info=1}, ) }, 1, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01049   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 256, ... 260, ) == 0x0
 01050   420   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2760000), 0x0, 593920, ) == 0x0
 01051   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052   420   NtQueryDefaultUILanguage  (2013024600, ...
 01053   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01054   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01055   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01056   420   NtClose  (-2147482020, ... ) == 0x0
 01057   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01058   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01060   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01061   420   NtClose  (-2147482032, ... ) == 0x0
 01062   420   NtClose  (-2147482020, ... ) == 0x0
 01052   420   NtQueryDefaultUILanguage  ... ) == 0x0
 01063   420   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 01064   420   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 01065   420   NtQueryDefaultLocale  (1, 1238412, ... ) == 0x0
 01066   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239268, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239268, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\1\0\0\377\377\377\377\0\0\0\0P\275}\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1521, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\1\0\0\377\377\377\377\0\0\0\0P\275}\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 420, 1521, 0}  (24, {128, 156, new_msg, 0, 1239268, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\1\0\0\377\377\377\377\0\0\0\0P\275}\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1521, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\1\0\0\377\377\377\377\0\0\0\0P\275}\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\344\357\22\0\0\0\0\0" )  ) == 0x0
 01068   420   NtClose  (256, ... ) == 0x0
 01069   420   NtClose  (260, ... ) == 0x0
 01070   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 01071   420   NtUnmapViewOfSection  (-1, 0x12efe4, ... ) == STATUS_NOT_MAPPED_VIEW
 01072   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01073   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01075   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01076   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236952, ... ) }, 1236952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01078   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01079   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01080   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237544, ... ) }, 1237544, ... ) == 0x0
 01081   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 260, {status=0x0, info=1}, ) }, 3, 33, ... 260, {status=0x0, info=1}, ) == 0x0
 01082   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01083   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01084   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 256, ... 264, ) == 0x0
 01085   420   NtClose  (256, ... ) == 0x0
 01086   420   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2760000), 0x0, 921600, ) == 0x0
 01087   420   NtClose  (264, ... ) == 0x0
 01088   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 01089   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01090   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 256, ) == 0x0
 01091   420   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01092   420   NtClose  (264, ... ) == 0x0
 01093   420   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01094   420   NtClose  (256, ... ) == 0x0
 01095   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01096   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01097   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01098   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01099   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01100   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01101   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01102   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01103   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01104   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01105   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01106   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01107   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01108   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01109   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01110   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01111   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01112   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01113   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01114   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01115   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01116   420   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238728, ... ) , 42, 1238728, ... ) == 0x0
 01117   420   NtQueryDefaultUILanguage  (1237444, ...
 01118   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01119   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01120   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01121   420   NtClose  (-2147482020, ... ) == 0x0
 01122   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01123   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01125   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   420   NtClose  (-2147482032, ... ) == 0x0
 01127   420   NtClose  (-2147482020, ... ) == 0x0
 01117   420   NtQueryDefaultUILanguage  ... ) == 0x0
 01128   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236296, ... ) }, 1236296, ... ) == 0x0
 01130   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01131   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 256, ... 264, ) == 0x0
 01132   420   NtClose  (256, ... ) == 0x0
 01133   420   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2410000), 0x0, 4096, ) == 0x0
 01134   420   NtClose  (264, ... ) == 0x0
 01135   420   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01136   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235936, ... ) }, 1235936, ... ) == 0x0
 01137   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236636,  (0x80100080, {24, 0, 0x40, 0, 1236636, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 264, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 264, {status=0x0, info=1}, ) == 0x0
 01138   420   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 264, ... 256, ) == 0x0
 01139   420   NtClose  (264, ... ) == 0x0
 01140   420   NtMapViewOfSection  (256, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2410000), {0, 0}, 4096, ) == 0x0
 01141   420   NtClose  (256, ... ) == 0x0
 01142   420   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01143   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 256, {status=0x0, info=1}, ) }, 1, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01144   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 256, ... 264, ) == 0x0
 01145   420   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2410000), 0x0, 4096, ) == 0x0
 01146   420   NtQueryInformationFile  (256, 1236256, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01147   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236336, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236336, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1522, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 420, 1522, 0}  (24, {128, 156, new_msg, 0, 1236336, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1522, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\0\1\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\344\22\0\0\0\0\0" )  ) == 0x0
 01149   420   NtClose  (256, ... ) == 0x0
 01150   420   NtClose  (264, ... ) == 0x0
 01151   420   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01152   420   NtUnmapViewOfSection  (-1, 0x12e470, ... ) == STATUS_NOT_MAPPED_VIEW
 01153   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01154   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01155   420   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01156   420   NtUserGetDC  (0, ... ) == 0x1010053
 01157   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01158   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01159   420   NtContinue  (1236292, 0, ...
 01160   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01161   420   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01162   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01163   420   NtUnmapViewOfSection  (-1, 0x2400000, ... ) == 0x0
 01164   420   NtClose  (260, ... ) == 0x0
 01165   420   NtCreateKey  (0x2001f, {24, 52, 0x40, 0, 0,  (0x2001f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 01166   420   NtQueryValueKey  (260,  (260, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   420   NtQueryValueKey  (260,  (260, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   420   NtQueryValueKey  (260,  (260, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   420   NtQueryValueKey  (260,  (260, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   420   NtQueryValueKey  (260,  (260, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   420   NtQueryValueKey  (260,  (260, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   420   NtQueryValueKey  (260,  (260, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01173   420   NtQueryValueKey  (260,  (260, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   420   NtQueryValueKey  (260,  (260, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1241480, ... ) }, 1241480, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1241480, ... ) }, 1241480, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1241480, ... ) }, 1241480, ... ) == 0x0
 01179   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01180   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 256, ) == 0x0
 01181   420   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01182   420   NtClose  (264, ... ) == 0x0
 01183   420   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01184   420   NtClose  (256, ... ) == 0x0
 01185   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 256, ) == 0x0
 01186   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 264, ) == 0x0
 01187   420   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 268, ) }, ... 268, ) == 0x0
 01188   420   NtQueryEvent  (268, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01189   420   NtClose  (268, ... ) == 0x0
 01190   420   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1242964, 140, ... 268, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1242964, 140, ... 268, 0x0, 0x0, 256, 140, ) == 0x0
 01191   420   NtRequestWaitReplyPort  (268, {28, 52, new_msg, 0, 0, 0, 0, 0}  (268, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 416, 420, 1524, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 416, 420, 1524, 0}  (268, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 416, 420, 1524, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01192   420   NtQueryValueKey  (260,  (260, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   420   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 272, ) }, ... 272, ) == 0x0
 01194   420   NtQueryValueKey  (272,  (272, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   420   NtClose  (272, ... ) == 0x0
 01196   420   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 272, ) }, ... 272, ) == 0x0
 01197   420   NtQueryValueKey  (272,  (272, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   420   NtClose  (272, ... ) == 0x0
 01199   420   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 272, ) }, ... 272, ) == 0x0
 01200   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 276, ) }, ... 276, ) == 0x0
 01201   420   NtQueryValueKey  (276,  (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01202   420   NtClose  (276, ... ) == 0x0
 01203   420   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 276, ) }, ... 276, ) == 0x0
 01204   420   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 280, ) }, ... 280, ) == 0x0
 01205   420   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 284, ) }, ... 284, ) == 0x0
 01206   420   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 288, ) }, ... 288, ) == 0x0
 01207   420   NtQueryValueKey  (288,  (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01208   420   NtQueryValueKey  (288,  (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01209   420   NtClose  (288, ... ) == 0x0
 01210   420   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 288, ) }, ... 288, ) == 0x0
 01211   420   NtQueryValueKey  (288,  (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01212   420   NtQueryValueKey  (288,  (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01213   420   NtQueryValueKey  (288,  (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01214   420   NtQueryValueKey  (288,  (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01215   420   NtQueryValueKey  (288,  (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01216   420   NtQueryValueKey  (288,  (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01217   420   NtClose  (288, ... ) == 0x0
 01218   420   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Content"}, ... 288, ) }, ... 288, ) == 0x0
 01219   420   NtQueryValueKey  (288,  (288, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01220   420   NtClose  (288, ... ) == 0x0
 01221   420   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Content"}, ... 288, ) }, ... 288, ) == 0x0
 01222   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 292, ) }, ... 292, ) == 0x0
 01223   420   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 01224   420   NtClose  (292, ... ) == 0x0
 01225   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 292, ) }, ... 292, ) == 0x0
 01226   420   NtQueryValueKey  (292,  (292, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (292, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01227   420   NtClose  (292, ... ) == 0x0
 01228   420   NtQueryDefaultUILanguage  (1237932, ...
 01229   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01230   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01231   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01232   420   NtClose  (-2147482020, ... ) == 0x0
 01233   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01234   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01236   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   420   NtClose  (-2147482032, ... ) == 0x0
 01238   420   NtClose  (-2147482020, ... ) == 0x0
 01228   420   NtQueryDefaultUILanguage  ... ) == 0x0
 01239   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 292, {status=0x0, info=1}, ) }, 1, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01241   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 292, ... 296, ) == 0x0
 01242   420   NtMapViewOfSection  (296, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2760000), 0x0, 8323072, ) == 0x0
 01243   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   420   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01245   420   NtQueryDefaultLocale  (1, 1235968, ... ) == 0x0
 01246   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236824, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236824, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\255\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1525, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\255\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 420, 1525, 0}  (24, {128, 156, new_msg, 0, 1236824, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\255\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1525, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\342\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1$\1\0\0\377\377\377\377\0\0\0\0\20\311\255\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0X\346\22\0\0\0\0\0" )  ) == 0x0
 01248   420   NtClose  (292, ... ) == 0x0
 01249   420   NtClose  (296, ... ) == 0x0
 01250   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 01251   420   NtUnmapViewOfSection  (-1, 0x12e658, ... ) == STATUS_NOT_MAPPED_VIEW
 01252   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01253   420   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01254   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01256   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01257   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235052, ... ) }, 1235052, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01259   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01260   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01261   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1235644, ... ) }, 1235644, ... ) == 0x0
 01262   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 296, {status=0x0, info=1}, ) }, 3, 33, ... 296, {status=0x0, info=1}, ) == 0x0
 01263   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01264   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01265   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 292, ... 300, ) == 0x0
 01266   420   NtClose  (292, ... ) == 0x0
 01267   420   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2760000), 0x0, 921600, ) == 0x0
 01268   420   NtClose  (300, ... ) == 0x0
 01269   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 01270   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01271   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 300, ... 292, ) == 0x0
 01272   420   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01273   420   NtClose  (300, ... ) == 0x0
 01274   420   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01275   420   NtClose  (292, ... ) == 0x0
 01276   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01277   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01278   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01279   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01280   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01281   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01282   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01283   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01284   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01285   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01286   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01287   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01288   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01289   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01290   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01291   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01292   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01293   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01294   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01295   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01296   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01297   420   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1236828, ... ) , 42, 1236828, ... ) == 0x0
 01298   420   NtQueryDefaultUILanguage  (1235544, ...
 01299   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01300   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01301   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01302   420   NtClose  (-2147482020, ... ) == 0x0
 01303   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01304   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01306   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   420   NtClose  (-2147482032, ... ) == 0x0
 01308   420   NtClose  (-2147482020, ... ) == 0x0
 01298   420   NtQueryDefaultUILanguage  ... ) == 0x0
 01309   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234396, ... ) }, 1234396, ... ) == 0x0
 01311   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01312   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 292, ... 300, ) == 0x0
 01313   420   NtClose  (292, ... ) == 0x0
 01314   420   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2410000), 0x0, 4096, ) == 0x0
 01315   420   NtClose  (300, ... ) == 0x0
 01316   420   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01317   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234036, ... ) }, 1234036, ... ) == 0x0
 01318   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234736,  (0x80100080, {24, 0, 0x40, 0, 1234736, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01319   420   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 300, ... 292, ) == 0x0
 01320   420   NtClose  (300, ... ) == 0x0
 01321   420   NtMapViewOfSection  (292, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2410000), {0, 0}, 4096, ) == 0x0
 01322   420   NtClose  (292, ... ) == 0x0
 01323   420   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01324   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 292, {status=0x0, info=1}, ) }, 1, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01325   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 292, ... 300, ) == 0x0
 01326   420   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2410000), 0x0, 4096, ) == 0x0
 01327   420   NtQueryInformationFile  (292, 1234356, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01328   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1526, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 420, 1526, 0}  (24, {128, 156, new_msg, 0, 1234436, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1526, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1$\1\0\0,\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\4\335\22\0\0\0\0\0" )  ) == 0x0
 01330   420   NtClose  (292, ... ) == 0x0
 01331   420   NtClose  (300, ... ) == 0x0
 01332   420   NtUnmapViewOfSection  (-1, 0x2410000, ... ) == 0x0
 01333   420   NtUnmapViewOfSection  (-1, 0x12dd04, ... ) == STATUS_NOT_MAPPED_VIEW
 01334   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01335   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01336   420   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01337   420   NtUserGetDC  (0, ... ) == 0x1010052
 01338   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01339   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01340   420   NtContinue  (1234400, 0, ...
 01341   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01342   420   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01343   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01344   420   NtUnmapViewOfSection  (-1, 0x2400000, ... ) == 0x0
 01345   420   NtClose  (296, ... ) == 0x0
 01346   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc03b
 01347   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc03d
 01348   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc03f
 01349   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc041
 01350   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc043
 01351   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc045
 01352   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc047
 01353   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc049
 01354   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc04b
 01355   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc04d
 01356   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc04f
 01357   420   NtUserGetClassInfo  (1999896576, 1239672, 1239624, 1239700, 0, ... ) == 0xc051
 01358   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc053
 01359   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc055
 01360   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc059
 01361   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc05b
 01362   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc05d
 01363   420   NtUserGetClassInfo  (1999896576, 1239668, 1239620, 1239696, 0, ... ) == 0xc05f
 01364   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01365   420   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1353424, 0,  (0x1f0003, {24, 56, 0x80, 1353424, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 296, ) }, 0, 2147483647, ... 296, ) == STATUS_OBJECT_NAME_EXISTS
 01366   420   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01367   420   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01368   420   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01369   420   NtQueryValueKey  (300,  (300, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01370   420   NtClose  (300, ... ) == 0x0
 01371   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1240192, ... ) }, 1240192, ... ) == 0x0
 01372   420   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01373   420   NtSetValueKey  (300,  (300, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (300, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01374   420   NtClose  (300, ... ) == 0x0
 01375   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241524, ... ) }, 1241524, ... ) == 0x0
 01376   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01377   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01378   420   NtSetInformationFile  (300, 1241232, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01379   420   NtClose  (300, ... ) == 0x0
 01380   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01381   420   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01382   420   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01383   420   NtQueryValueKey  (288,  (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01384   420   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 300, ) }, ... 300, ) == 0x0
 01385   420   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "Paths"}, ... 292, ) }, ... 292, ) == 0x0
 01386   420   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path1"}, ... 304, ) }, ... 304, ) == 0x0
 01387   420   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path2"}, ... 308, ) }, ... 308, ) == 0x0
 01388   420   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path3"}, ... 312, ) }, ... 312, ) == 0x0
 01389   420   NtOpenKey  (0xf, {24, 292, 0x40, 0, 0,  (0xf, {24, 292, 0x40, 0, 0, "Path4"}, ... 316, ) }, ... 316, ) == 0x0
 01390   420   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "Special Paths"}, ... 320, ) }, ... 320, ) == 0x0
 01391   420   NtSetValueKey  (292,  (292, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (292, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01392   420   NtSetValueKey  (292,  (292, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (292, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01393   420   NtSetValueKey  (304,  (304, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (304, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01394   420   NtSetValueKey  (308,  (308, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (308, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01395   420   NtSetValueKey  (312,  (312, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (312, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01396   420   NtSetValueKey  (316,  (316, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (316, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01397   420   NtSetValueKey  (304,  (304, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (304, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01398   420   NtSetValueKey  (308,  (308, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (308, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01399   420   NtSetValueKey  (312,  (312, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (312, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01400   420   NtSetValueKey  (316,  (316, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (316, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01401   420   NtClose  (316, ... ) == 0x0
 01402   420   NtClose  (312, ... ) == 0x0
 01403   420   NtClose  (308, ... ) == 0x0
 01404   420   NtClose  (304, ... ) == 0x0
 01405   420   NtClose  (292, ... ) == 0x0
 01406   420   NtClose  (320, ... ) == 0x0
 01407   420   NtClose  (300, ... ) == 0x0
 01408   420   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Cookies"}, ... 300, ) }, ... 300, ) == 0x0
 01409   420   NtQueryValueKey  (300,  (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01410   420   NtClose  (300, ... ) == 0x0
 01411   420   NtClose  (288, ... ) == 0x0
 01412   420   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Cookies"}, ... 288, ) }, ... 288, ) == 0x0
 01413   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01414   420   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01415   420   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01416   420   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01417   420   NtQueryValueKey  (300,  (300, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01418   420   NtClose  (300, ... ) == 0x0
 01419   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1240192, ... ) }, 1240192, ... ) == 0x0
 01420   420   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01421   420   NtSetValueKey  (300,  (300, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (300, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01422   420   NtClose  (300, ... ) == 0x0
 01423   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1241524, ... ) }, 1241524, ... ) == 0x0
 01424   420   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01425   420   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01426   420   NtQueryValueKey  (288,  (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01427   420   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "History"}, ... 300, ) }, ... 300, ) == 0x0
 01428   420   NtQueryValueKey  (300,  (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01429   420   NtClose  (300, ... ) == 0x0
 01430   420   NtClose  (288, ... ) == 0x0
 01431   420   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "History"}, ... 288, ) }, ... 288, ) == 0x0
 01432   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01433   420   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01434   420   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01435   420   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01436   420   NtQueryValueKey  (300,  (300, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01437   420   NtClose  (300, ... ) == 0x0
 01438   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1240192, ... ) }, 1240192, ... ) == 0x0
 01439   420   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01440   420   NtSetValueKey  (300,  (300, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (300, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01441   420   NtClose  (300, ... ) == 0x0
 01442   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241524, ... ) }, 1241524, ... ) == 0x0
 01443   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01444   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01445   420   NtSetInformationFile  (300, 1241232, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01446   420   NtClose  (300, ... ) == 0x0
 01447   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1241256, ... ) }, 1241256, ... ) == 0x0
 01448   420   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01449   420   NtQueryValueKey  (288,  (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01450   420   NtQueryValueKey  (288,  (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01451   420   NtClose  (288, ... ) == 0x0
 01452   420   NtClose  (284, ... ) == 0x0
 01453   420   NtClose  (276, ... ) == 0x0
 01454   420   NtClose  (280, ... ) == 0x0
 01455   420   NtClose  (272, ... ) == 0x0
 01456   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 272, ) }, ... 272, ) == 0x0
 01457   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 280, ) }, ... 280, ) == 0x0
 01458   420   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01459   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 276, {status=0x0, info=1}, ) }, 3, 8388641, ... 276, {status=0x0, info=1}, ) == 0x0
 01460   420   NtQueryVolumeInformationFile  (276, 1242776, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01461   420   NtClose  (276, ... ) == 0x0
 01462   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 276, {status=0x0, info=1}, ) }, 3, 8388641, ... 276, {status=0x0, info=1}, ) == 0x0
 01463   420   NtQueryVolumeInformationFile  (276, 1242800, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01464   420   NtClose  (276, ... ) == 0x0
 01465   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1243128, ... ) }, 1243128, ... ) == 0x0
 01466   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 276, {status=0x0, info=1}, ) }, 7, 2113568, ... 276, {status=0x0, info=1}, ) == 0x0
 01467   420   NtSetInformationFile  (276, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01468   420   NtClose  (276, ... ) == 0x0
 01469   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243120,  (0xc0100080, {24, 0, 0x40, 1353424, 1243120, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01470   420   NtSetInformationFile  (276, 1243172, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01471   420   NtQueryInformationFile  (276, 1243172, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01472   420   NtClose  (276, ... ) == 0x0
 01473   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243104,  (0xc0100080, {24, 0, 0x40, 1353424, 1243104, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01474   420   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 284, ) }, ... 284, ) == 0x0
 01475   420   NtMapViewOfSection  (284, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2400000), {0, 0}, 32768, ) == 0x0
 01476   420   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01477   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 288, ) }, ... 288, ) == 0x0
 01478   420   NtWaitForSingleObject  (288, 0, 0x0, ... ) == 0x0
 01479   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 300, {status=0x0, info=1}, ) }, 3, 8388641, ... 300, {status=0x0, info=1}, ) == 0x0
 01480   420   NtQueryVolumeInformationFile  (300, 1242776, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01481   420   NtClose  (300, ... ) == 0x0
 01482   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 300, {status=0x0, info=1}, ) }, 3, 8388641, ... 300, {status=0x0, info=1}, ) == 0x0
 01483   420   NtQueryVolumeInformationFile  (300, 1242800, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01484   420   NtClose  (300, ... ) == 0x0
 01485   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1243128, ... ) }, 1243128, ... ) == 0x0
 01486   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01487   420   NtSetInformationFile  (300, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01488   420   NtClose  (300, ... ) == 0x0
 01489   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243120,  (0xc0100080, {24, 0, 0x40, 1353424, 1243120, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01490   420   NtSetInformationFile  (300, 1243172, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01491   420   NtQueryInformationFile  (300, 1243172, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01492   420   NtClose  (300, ... ) == 0x0
 01493   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243104,  (0xc0100080, {24, 0, 0x40, 1353424, 1243104, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01494   420   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 320, ) }, ... 320, ) == 0x0
 01495   420   NtMapViewOfSection  (320, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2410000), {0, 0}, 16384, ) == 0x0
 01496   420   NtReleaseMutant  (288, ... 0x0, ) == 0x0
 01497   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 292, ) }, ... 292, ) == 0x0
 01498   420   NtWaitForSingleObject  (292, 0, 0x0, ... ) == 0x0
 01499   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 304, {status=0x0, info=1}, ) }, 3, 8388641, ... 304, {status=0x0, info=1}, ) == 0x0
 01500   420   NtQueryVolumeInformationFile  (304, 1242776, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01501   420   NtClose  (304, ... ) == 0x0
 01502   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 304, {status=0x0, info=1}, ) }, 3, 8388641, ... 304, {status=0x0, info=1}, ) == 0x0
 01503   420   NtQueryVolumeInformationFile  (304, 1242800, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01504   420   NtClose  (304, ... ) == 0x0
 01505   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1243128, ... ) }, 1243128, ... ) == 0x0
 01506   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 304, {status=0x0, info=1}, ) }, 7, 2113568, ... 304, {status=0x0, info=1}, ) == 0x0
 01507   420   NtSetInformationFile  (304, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01508   420   NtClose  (304, ... ) == 0x0
 01509   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243120,  (0xc0100080, {24, 0, 0x40, 1353424, 1243120, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) == 0x0
 01510   420   NtSetInformationFile  (304, 1243172, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01511   420   NtQueryInformationFile  (304, 1243172, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01512   420   NtClose  (304, ... ) == 0x0
 01513   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1353424, 1243104,  (0xc0100080, {24, 0, 0x40, 1353424, 1243104, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 304, {status=0x0, info=1}, ) == 0x0
 01514   420   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 308, ) }, ... 308, ) == 0x0
 01515   420   NtMapViewOfSection  (308, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2440000), {0, 0}, 32768, ) == 0x0
 01516   420   NtReleaseMutant  (292, ... 0x0, ) == 0x0
 01517   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01518   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 312, {status=0x0, info=1}, ) }, 7, 2113568, ... 312, {status=0x0, info=1}, ) == 0x0
 01519   420   NtSetInformationFile  (312, 1243160, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01520   420   NtClose  (312, ... ) == 0x0
 01521   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01522   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01523   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 312, {status=0x0, info=1}, ) }, 7, 2113568, ... 312, {status=0x0, info=1}, ) == 0x0
 01524   420   NtSetInformationFile  (312, 1243160, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01525   420   NtClose  (312, ... ) == 0x0
 01526   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1243184, ... ) }, 1243184, ... ) == 0x0
 01527   420   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01528   420   NtQueryInformationFile  (276, 1241568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01529   420   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01530   420   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 312, ) }, ... 312, ) == 0x0
 01531   420   NtOpenKey  (0xf, {24, 312, 0x40, 0, 0,  (0xf, {24, 312, 0x40, 0, 0, "Extensible Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01532   420   NtClose  (312, ... ) == 0x0
 01533   420   NtWaitForSingleObject  (272, 0, {-600000000, -1}, ... ) == 0x0
 01534   420   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01535   420   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007051420070521"}, ... 312, ) }, ... 312, ) == 0x0
 01536   420   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01537   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01538   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01539   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01540   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01541   420   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01542   420   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01543   420   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01544   420   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01545   420   NtClose  (312, ... ) == 0x0
 01546   420   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01547   420   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007052120070528"}, ... 312, ) }, ... 312, ) == 0x0
 01548   420   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01549   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01550   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01551   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01552   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01553   420   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01554   420   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01555   420   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01556   420   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01557   420   NtClose  (312, ... ) == 0x0
 01558   420   NtEnumerateKey  (316, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (316, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01559   420   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007053120070601"}, ... 312, ) }, ... 312, ) == 0x0
 01560   420   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01561   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01562   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01563   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01564   420   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01565   420   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01566   420   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01567   420   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01568   420   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01569   420   NtClose  (312, ... ) == 0x0
 01570   420   NtEnumerateKey  (316, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01571   420   NtReleaseMutant  (272, ... 0x0, ) == 0x0
 01572   420   NtClose  (316, ... ) == 0x0
 01573   420   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01574   420   NtQueryInformationFile  (276, 1243496, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01575   420   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01576   420   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01577   420   NtQueryInformationFile  (276, 1243568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01578   420   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01579   420   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   420   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   420   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   420   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   420   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01585   420   NtQueryValueKey  (316,  (316, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   420   NtClose  (316, ... ) == 0x0
 01587   420   NtQueryValueKey  (260,  (260, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   420   NtQueryValueKey  (260,  (260, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   420   NtQueryValueKey  (260,  (260, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   420   NtQueryValueKey  (260,  (260, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   420   NtQueryValueKey  (260,  (260, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   420   NtQueryValueKey  (260,  (260, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   420   NtQueryValueKey  (260,  (260, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   420   NtQueryValueKey  (260,  (260, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   420   NtQueryValueKey  (260,  (260, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596   420   NtQueryValueKey  (260,  (260, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   420   NtQueryValueKey  (260,  (260, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   420   NtQueryValueKey  (260,  (260, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   420   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01600   420   NtQueryValueKey  (316,  (316, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   420   NtClose  (316, ... ) == 0x0
 01602   420   NtQueryValueKey  (260,  (260, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   420   NtQueryValueKey  (260,  (260, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   420   NtQueryValueKey  (260,  (260, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   420   NtQueryValueKey  (260,  (260, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   420   NtQueryValueKey  (260,  (260, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   420   NtQueryValueKey  (260,  (260, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   420   NtQueryValueKey  (260,  (260, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   420   NtQueryValueKey  (260,  (260, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   420   NtQueryValueKey  (260,  (260, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01612   420   NtQueryValueKey  (316,  (316, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   420   NtClose  (316, ... ) == 0x0
 01614   420   NtQueryValueKey  (260,  (260, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   420   NtQueryValueKey  (260,  (260, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   420   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01617   420   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01618   420   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01619   420   NtQueryValueKey  (260,  (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01620   420   NtQueryValueKey  (260,  (260, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   420   NtQueryValueKey  (260,  (260, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   420   NtQueryValueKey  (260,  (260, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   420   NtQueryValueKey  (260,  (260, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   420   NtQueryValueKey  (260,  (260, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (260, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01625   420   NtQueryValueKey  (260,  (260, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626   420   NtQueryValueKey  (260,  (260, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01627   420   NtQueryValueKey  (260,  (260, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   420   NtQueryValueKey  (260,  (260, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   420   NtQueryValueKey  (260,  (260, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   420   NtQueryValueKey  (260,  (260, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetStartupMutex"}, ... 316, ) }, ... 316, ) == 0x0
 01632   420   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 312, ) == 0x0
 01633   420   NtQueryValueKey  (260,  (260, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   420   NtWaitForSingleObject  (280, 0, 0x0, ... ) == 0x0
 01635   420   NtQueryInformationFile  (276, 1243544, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01636   420   NtReleaseMutant  (280, ... 0x0, ) == 0x0
 01637   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetConnectionMutex"}, ... 324, ) }, ... 324, ) == 0x0
 01638   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 328, ) == 0x0
 01639   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 332, ) }, ... 332, ) == 0x0
 01640   420   NtQueryValueKey  (260,  (260, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01641   420   NtQueryValueKey  (260,  (260, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01642   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 336, ) }, ... 336, ) == 0x0
 01643   420   NtQueryValueKey  (336,  (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01644   420   NtQueryValueKey  (336,  (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01645   420   NtClose  (336, ... ) == 0x0
 01646   420   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01647   420   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 336, ) == 0x0
 01648   420   NtWaitForSingleObject  (336, 0, 0x0, ... ) == 0x0
 01649   420   NtClearEvent  (336, ... ) == 0x0
 01650   420   NtSetEvent  (336, ... 0x0, ) == 0x0
 01651   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01654   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 01655   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 01656   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ... 344, ) == 0x0
 01657   420   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01658   420   NtClose  (340, ... ) == 0x0
 01659   420   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 01660   420   NtClose  (344, ... ) == 0x0
 01661   420   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 01662   420   NtQueryValueKey  (344,  (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01663   420   NtQueryValueKey  (344,  (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01664   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0
 01665   420   NtOpenKey  (0x2000000, {24, 344, 0x40, 0, 0,  (0x2000000, {24, 344, 0x40, 0, 0, "Protocol_Catalog9"}, ... 348, ) }, ... 348, ) == 0x0
 01666   420   NtQueryValueKey  (348,  (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01667   420   NtNotifyChangeKey  (348, 340, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01668   420   NtQueryValueKey  (348,  (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01669   420   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   420   NtQueryValueKey  (348,  (348, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01671   420   NtQueryValueKey  (348,  (348, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01672   420   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, "Catalog_Entries"}, ... 352, ) }, ... 352, ) == 0x0
 01673   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000001"}, ... 356, ) }, ... 356, ) == 0x0
 01674   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01675   420   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01676   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01677   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\216\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\216\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\217\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\216\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\216\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\217\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\216\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\216\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\217\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01678   420   NtClose  (356, ... ) == 0x0
 01679   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000002"}, ... 356, ) }, ... 356, ) == 0x0
 01680   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01681   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01682   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\223\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\223\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\224\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\223\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\223\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\224\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\223\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\223\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\224\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01683   420   NtClose  (356, ... ) == 0x0
 01684   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000003"}, ... 356, ) }, ... 356, ) == 0x0
 01685   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01686   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01687   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\230\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\230\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\231\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\230\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\230\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\231\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\230\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\230\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\231\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01688   420   NtClose  (356, ... ) == 0x0
 01689   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000004"}, ... 356, ) }, ... 356, ) == 0x0
 01690   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01691   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01692   420   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01693   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\236\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\236\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\237\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\236\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\236\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\237\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\236\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\236\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\237\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01694   420   NtClose  (356, ... ) == 0x0
 01695   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000005"}, ... 356, ) }, ... 356, ) == 0x0
 01696   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01697   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01698   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\243\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\243\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\244\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\243\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\243\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\244\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\243\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\243\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\244\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01699   420   NtClose  (356, ... ) == 0x0
 01700   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000006"}, ... 356, ) }, ... 356, ) == 0x0
 01701   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01702   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01703   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\250\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\250\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\251\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\250\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\250\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\251\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\250\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\250\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\251\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01704   420   NtClose  (356, ... ) == 0x0
 01705   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000007"}, ... 356, ) }, ... 356, ) == 0x0
 01706   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01707   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01708   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\255\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\255\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\256\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\255\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\255\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\256\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\255\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\255\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\256\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\257\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01709   420   NtClose  (356, ... ) == 0x0
 01710   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000008"}, ... 356, ) }, ... 356, ) == 0x0
 01711   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01712   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01713   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\262\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\262\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\263\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\262\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\262\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\263\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\262\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\262\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\263\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01714   420   NtClose  (356, ... ) == 0x0
 01715   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000009"}, ... 356, ) }, ... 356, ) == 0x0
 01716   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01717   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01718   420   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01719   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\270\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\270\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\271\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\270\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\270\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\271\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\270\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\270\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\271\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01720   420   NtClose  (356, ... ) == 0x0
 01721   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000010"}, ... 356, ) }, ... 356, ) == 0x0
 01722   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01723   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01724   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\275\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\275\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\276\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\275\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\275\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\276\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\275\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\275\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0T\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330\312\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\276\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\6\0\0\240\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01725   420   NtClose  (356, ... ) == 0x0
 01726   420   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000011"}, ... 356, ) }, ... 356, ) == 0x0
 01727   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01728   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01729   420   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\302\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\302\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\1\0\0\303\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\6\0\0\240\1\0\0\244\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\6\0\0\240\1\0\0\244\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\305\6\0\0\240\1\0\0\244\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\305\6\0\0\240\1\0\0\244\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\1\0\0\306\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\1\0\0p\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\312\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\302\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\302\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\1\0\0\303\6\0\0\240\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\6\0\0\240\1\0\0\244\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\6\0\0\240\1\0\0\244\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\305\6\0\0\240\1\0\0\244\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\305\6\0\0\240\1\0\0\244\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\1\0\0\306\6\0\0\240\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\1\0\0p\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\312\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01730   420   NtClose  (356, ... ) == 0x0
 01731   420   NtClose  (352, ... ) == 0x0
 01732   420   NtWaitForSingleObject  (340, 0, {0, 0}, ... ) == 0x102
 01733   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 01734   420   NtOpenKey  (0x2000000, {24, 344, 0x40, 0, 0,  (0x2000000, {24, 344, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 356, ) }, ... 356, ) == 0x0
 01735   420   NtQueryValueKey  (356,  (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01736   420   NtNotifyChangeKey  (356, 352, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01737   420   NtQueryValueKey  (356,  (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01738   420   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   420   NtQueryValueKey  (356,  (356, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01740   420   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, "Catalog_Entries"}, ... 360, ) }, ... 360, ) == 0x0
 01741   420   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000001"}, ... 364, ) }, ... 364, ) == 0x0
 01742   420   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01743   420   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01744   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01745   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01746   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01747   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01748   420   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01749   420   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01750   420   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01751   420   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01752   420   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01753   420   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01754   420   NtClose  (364, ... ) == 0x0
 01755   420   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000002"}, ... 364, ) }, ... 364, ) == 0x0
 01756   420   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01757   420   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01758   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01759   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01760   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01761   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01762   420   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01763   420   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   420   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01765   420   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01766   420   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01767   420   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01768   420   NtClose  (364, ... ) == 0x0
 01769   420   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01770   420   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000003"}, ... 364, ) }, ... 364, ) == 0x0
 01771   420   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01772   420   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01773   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01774   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01775   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01776   420   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01777   420   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01778   420   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   420   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01780   420   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01781   420   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01782   420   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01783   420   NtClose  (364, ... ) == 0x0
 01784   420   NtClose  (360, ... ) == 0x0
 01785   420   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x102
 01786   420   NtClose  (344, ... ) == 0x0
 01787   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01788   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01789   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 01790   420   NtQueryValueKey  (344,  (344, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   420   NtClose  (344, ... ) == 0x0
 01792   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 344, ) == 0x0
 01793   420   NtClearEvent  (312, ... ) == 0x0
 01794   420   NtSetEvent  (312, ... 0x0, ) == 0x0
 01795   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01796   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 01799   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01800   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01801   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01802   420   NtClose  (360, ... ) == 0x0
 01803   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01804   420   NtClose  (364, ... ) == 0x0
 01805   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01806   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242472, ... ) }, 1242472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01807   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1242472, ... ) }, 1242472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1242472, ... ) }, 1242472, ... ) == 0x0
 01809   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01810   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01811   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01812   420   NtClose  (364, ... ) == 0x0
 01813   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01814   420   NtClose  (360, ... ) == 0x0
 01815   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1241668, ... ) }, 1241668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1241668, ... ) }, 1241668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1241668, ... ) }, 1241668, ... ) == 0x0
 01819   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01820   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01821   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01822   420   NtClose  (360, ... ) == 0x0
 01823   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01824   420   NtClose  (364, ... ) == 0x0
 01825   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 01829   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01830   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01831   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01832   420   NtClose  (364, ... ) == 0x0
 01833   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01834   420   NtClose  (360, ... ) == 0x0
 01835   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01839   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01840   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01841   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01842   420   NtClose  (360, ... ) == 0x0
 01843   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01844   420   NtClose  (364, ... ) == 0x0
 01845   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01849   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01850   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01851   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01852   420   NtClose  (364, ... ) == 0x0
 01853   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01854   420   NtClose  (360, ... ) == 0x0
 01855   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1238452, ... ) }, 1238452, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1238452, ... ) }, 1238452, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01858   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01859   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01860   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01861   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01862   420   NtClose  (360, ... ) == 0x0
 01863   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01864   420   NtClose  (364, ... ) == 0x0
 01865   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 364, ) }, ... 364, ) == 0x0
 01866   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01867   420   NtClose  (364, ... ) == 0x0
 01868   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01872   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01873   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01874   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01875   420   NtClose  (364, ... ) == 0x0
 01876   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01877   420   NtClose  (360, ... ) == 0x0
 01878   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01879   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01882   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01883   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01884   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01885   420   NtClose  (360, ... ) == 0x0
 01886   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01887   420   NtClose  (364, ... ) == 0x0
 01888   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01892   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01893   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01894   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01895   420   NtClose  (364, ... ) == 0x0
 01896   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01897   420   NtClose  (360, ... ) == 0x0
 01898   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01901   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01902   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01903   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01904   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01905   420   NtClose  (360, ... ) == 0x0
 01906   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01907   420   NtClose  (364, ... ) == 0x0
 01908   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 01912   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01913   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01914   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01915   420   NtClose  (364, ... ) == 0x0
 01916   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01917   420   NtClose  (360, ... ) == 0x0
 01918   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01922   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01923   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01924   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01925   420   NtClose  (360, ... ) == 0x0
 01926   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01927   420   NtClose  (364, ... ) == 0x0
 01928   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01932   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01933   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01934   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01935   420   NtClose  (364, ... ) == 0x0
 01936   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01937   420   NtClose  (360, ... ) == 0x0
 01938   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1240864, ... ) }, 1240864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 01942   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01943   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01944   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01945   420   NtClose  (360, ... ) == 0x0
 01946   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01947   420   NtClose  (364, ... ) == 0x0
 01948   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01949   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01951   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01952   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01953   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01954   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01955   420   NtClose  (364, ... ) == 0x0
 01956   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01957   420   NtClose  (360, ... ) == 0x0
 01958   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01959   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01960   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01962   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01963   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01964   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01965   420   NtClose  (360, ... ) == 0x0
 01966   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01967   420   NtClose  (364, ... ) == 0x0
 01968   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01970   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01971   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01972   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01973   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01974   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01975   420   NtClose  (364, ... ) == 0x0
 01976   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01977   420   NtClose  (360, ... ) == 0x0
 01978   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1240060, ... ) }, 1240060, ... ) == 0x0
 01982   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 01983   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 360, ... 364, ) == 0x0
 01984   420   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01985   420   NtClose  (360, ... ) == 0x0
 01986   420   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01987   420   NtClose  (364, ... ) == 0x0
 01988   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01989   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1239256, ... ) }, 1239256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01991   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239256, ... ) }, 1239256, ... ) == 0x0
 01992   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01993   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 364, ... 360, ) == 0x0
 01994   420   NtQuerySection  (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01995   420   NtClose  (364, ... ) == 0x0
 01996   420   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01997   420   NtClose  (360, ... ) == 0x0
 01998   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 360, ) == 0x0
 01999   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 364, ) }, ... 364, ) == 0x0
 02000   420   NtQueryValueKey  (364,  (364, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02001   420   NtClose  (364, ... ) == 0x0
 02002   420   NtQueryDefaultLocale  (1, 1243116, ... ) == 0x0
 02003   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02004   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 39124992, 262144, ) == 0x0
 02005   420   NtAllocateVirtualMemory  (-1, 39124992, 0, 4096, 4096, 4, ... 39124992, 4096, ) == 0x0
 02006   420   NtAllocateVirtualMemory  (-1, 39129088, 0, 8192, 4096, 4, ... 39129088, 8192, ) == 0x0
 02007   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02008   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02009   420   NtQueryDefaultLocale  (1, 1243076, ... ) == 0x0
 02010   420   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02011   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02012   420   NtQueryValueKey  (364,  (364, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02013   420   NtClose  (364, ... ) == 0x0
 02014   420   NtUserGetProcessWindowStation  (... ) == 0x24
 02015   420   NtUserGetObjectInformation  (36, 1, 1242748, 12, 1242760, ... ) == 0x1
 02016   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 364, ) }, ... 364, ) == 0x0
 02017   420   NtQueryValueKey  (364,  (364, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 02018   420   NtClose  (364, ... ) == 0x0
 02019   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02020   420   NtQueryValueKey  (364,  (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02021   420   NtQueryValueKey  (364,  (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02022   420   NtClose  (364, ... ) == 0x0
 02023   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02024   420   NtQueryValueKey  (364,  (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02025   420   NtQueryValueKey  (364,  (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02026   420   NtClose  (364, ... ) == 0x0
 02027   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02028   420   NtQueryValueKey  (364,  (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02029   420   NtQueryValueKey  (364,  (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02030   420   NtClose  (364, ... ) == 0x0
 02031   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02032   420   NtQueryValueKey  (364,  (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02033   420   NtQueryValueKey  (364,  (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02034   420   NtClose  (364, ... ) == 0x0
 02035   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 364, ) }, ... 364, ) == 0x0
 02036   420   NtQueryValueKey  (364,  (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02037   420   NtQueryValueKey  (364,  (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02038   420   NtClose  (364, ... ) == 0x0
 02039   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 364, ) }, ... 364, ) == 0x0
 02040   420   NtQueryValueKey  (364,  (364, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (364, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 02041   420   NtClose  (364, ... ) == 0x0
 02042   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02043   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 368, ) == 0x0
 02044   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0
 02045   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 376, ) == 0x0
 02046   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 380, ) == 0x0
 02047   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 384, ) == 0x0
 02048   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 388, ) }, ... 388, ) == 0x0
 02049   420   NtQueryValueKey  (388,  (388, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   420   NtQueryValueKey  (388,  (388, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   420   NtOpenKey  (0x1, {24, 388, 0x40, 0, 0,  (0x1, {24, 388, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   420   NtClose  (388, ... ) == 0x0
 02053   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 02054   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 02055   420   NtQueryValueKey  (388,  (388, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (388, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (388, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02056   420   NtClose  (388, ... ) == 0x0
 02057   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 02058   420   NtQueryValueKey  (388,  (388, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (388, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (388, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 02059   420   NtClose  (388, ... ) == 0x0
 02060   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02061   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 388, ) }, ... 388, ) == 0x0
 02062   420   NtQueryValueKey  (388,  (388, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (388, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (388, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02063   420   NtClose  (388, ... ) == 0x0
 02064   420   NtQueryDefaultUILanguage  (1241636, ...
 02065   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02066   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02067   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02068   420   NtClose  (-2147482020, ... ) == 0x0
 02069   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02070   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02072   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   420   NtClose  (-2147482032, ... ) == 0x0
 02074   420   NtClose  (-2147482020, ... ) == 0x0
 02064   420   NtQueryDefaultUILanguage  ... ) == 0x0
 02075   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02076   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02077   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 392, ) == 0x0
 02078   420   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2760000), 0x0, 163840, ) == 0x0
 02079   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   420   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 02081   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240528, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240528, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zx\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1527, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zx\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 420, 1527, 0}  (24, {128, 156, new_msg, 0, 1240528, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zx\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1527, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\204\1\0\0\377\377\377\377\0\0\0\0\360Zx\2\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\320\364\22\0\0\0\0\0" )  ) == 0x0
 02083   420   NtClose  (388, ... ) == 0x0
 02084   420   NtClose  (392, ... ) == 0x0
 02085   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 02086   420   NtUnmapViewOfSection  (-1, 0x12f4d0, ... ) == STATUS_NOT_MAPPED_VIEW
 02087   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02088   420   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 02089   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02090   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02091   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02092   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238756, ... ) }, 1238756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02094   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02095   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02096   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239348, ... ) }, 1239348, ... ) == 0x0
 02097   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 392, {status=0x0, info=1}, ) }, 3, 33, ... 392, {status=0x0, info=1}, ) == 0x0
 02098   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02099   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02100   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 396, ) == 0x0
 02101   420   NtClose  (388, ... ) == 0x0
 02102   420   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x27a0000), 0x0, 921600, ) == 0x0
 02103   420   NtClose  (396, ... ) == 0x0
 02104   420   NtUnmapViewOfSection  (-1, 0x27a0000, ... ) == 0x0
 02105   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 396, {status=0x0, info=1}, ) }, 5, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 02106   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 396, ... 388, ) == 0x0
 02107   420   NtQuerySection  (388, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02108   420   NtClose  (396, ... ) == 0x0
 02109   420   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 02110   420   NtClose  (388, ... ) == 0x0
 02111   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02112   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02113   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02114   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02115   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02116   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02117   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02118   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02119   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02120   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02121   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02122   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02123   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02124   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02125   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02126   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02127   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02128   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02129   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 02130   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 02131   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 02132   420   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240532, ... ) , 42, 1240532, ... ) == 0x0
 02133   420   NtQueryDefaultUILanguage  (1239248, ...
 02134   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02135   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02136   420   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02137   420   NtClose  (-2147482020, ... ) == 0x0
 02138   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02139   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02140   420   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02141   420   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   420   NtClose  (-2147482032, ... ) == 0x0
 02143   420   NtClose  (-2147482020, ... ) == 0x0
 02133   420   NtQueryDefaultUILanguage  ... ) == 0x0
 02144   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02145   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238100, ... ) }, 1238100, ... ) == 0x0
 02146   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02147   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 396, ) == 0x0
 02148   420   NtClose  (388, ... ) == 0x0
 02149   420   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2760000), 0x0, 4096, ) == 0x0
 02150   420   NtClose  (396, ... ) == 0x0
 02151   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 02152   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237740, ... ) }, 1237740, ... ) == 0x0
 02153   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238440,  (0x80100080, {24, 0, 0x40, 0, 1238440, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02154   420   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 396, ... 388, ) == 0x0
 02155   420   NtClose  (396, ... ) == 0x0
 02156   420   NtMapViewOfSection  (388, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2760000), {0, 0}, 4096, ) == 0x0
 02157   420   NtClose  (388, ... ) == 0x0
 02158   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 02159   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 388, {status=0x0, info=1}, ) }, 1, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02160   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 388, ... 396, ) == 0x0
 02161   420   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2760000), 0x0, 4096, ) == 0x0
 02162   420   NtQueryInformationFile  (388, 1238060, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 02163   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238140, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238140, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1528, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 416, 420, 1528, 0}  (24, {128, 156, new_msg, 0, 1238140, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 416, 420, 1528, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\1\0\0\214\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\353\22\0\0\0\0\0" )  ) == 0x0
 02165   420   NtClose  (388, ... ) == 0x0
 02166   420   NtClose  (396, ... ) == 0x0
 02167   420   NtUnmapViewOfSection  (-1, 0x2760000, ... ) == 0x0
 02168   420   NtUnmapViewOfSection  (-1, 0x12eb7c, ... ) == STATUS_NOT_MAPPED_VIEW
 02169   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02170   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 02171   420   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 02172   420   NtUserGetDC  (0, ... ) == 0x1010051
 02173   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02174   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02175   420   NtContinue  (1238104, 0, ...
 02176   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02177   420   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 02178   420   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 02179   420   NtUnmapViewOfSection  (-1, 0x2790000, ... ) == 0x0
 02180   420   NtClose  (392, ... ) == 0x0
 02181   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 392, ) }, ... 392, ) == 0x0
 02182   420   NtQueryValueKey  (392,  (392, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   420   NtQueryValueKey  (392,  (392, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   420   NtClose  (392, ... ) == 0x0
 02185   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 392, ) == 0x0
 02186   420   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 1381520, 0,  (0x1f0001, {24, 56, 0x80, 1381520, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 02187   420   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "RasPbFile"}, ... 396, ) }, ... 396, ) == 0x0
 02188   420   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 388, ) == 0x0
 02189   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 02190   420   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 404, ) == 0x0
 02191   420   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 02192   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 412, ) }, ... 412, ) == 0x0
 02193   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195   420   NtQueryValueKey  (412,  (412, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   420   NtQueryValueKey  (408,  (408, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02197   420   NtQueryValueKey  (412,  (412, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   420   NtQueryValueKey  (408,  (408, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02199   420   NtQueryValueKey  (412,  (412, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   420   NtQueryValueKey  (408,  (408, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   420   NtQueryValueKey  (412,  (412, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   420   NtQueryValueKey  (408,  (408, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   420   NtQueryValueKey  (412,  (412, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   420   NtQueryValueKey  (412,  (412, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   420   NtQueryValueKey  (412,  (412, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   420   NtQueryValueKey  (412,  (412, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   420   NtQueryValueKey  (412,  (412, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   420   NtQueryValueKey  (412,  (412, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   420   NtQueryValueKey  (412,  (412, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   420   NtQueryValueKey  (408,  (408, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   420   NtQueryValueKey  (412,  (412, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   420   NtQueryValueKey  (412,  (412, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   420   NtQueryValueKey  (408,  (408, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   420   NtQueryValueKey  (412,  (412, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   420   NtQueryValueKey  (408,  (408, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   420   NtQueryValueKey  (412,  (412, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   420   NtQueryValueKey  (408,  (408, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   420   NtQueryValueKey  (412,  (412, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   420   NtQueryValueKey  (408,  (408, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   420   NtQueryValueKey  (412,  (412, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   420   NtQueryValueKey  (408,  (408, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   420   NtQueryValueKey  (412,  (412, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   420   NtQueryValueKey  (408,  (408, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   420   NtQueryValueKey  (412,  (412, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   420   NtQueryValueKey  (408,  (408, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   420   NtQueryValueKey  (412,  (412, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   420   NtQueryValueKey  (408,  (408, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   420   NtQueryValueKey  (412,  (412, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   420   NtQueryValueKey  (412,  (412, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   420   NtQueryValueKey  (412,  (412, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   420   NtQueryValueKey  (412,  (412, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   420   NtQueryValueKey  (412,  (412, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   420   NtQueryValueKey  (412,  (412, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   420   NtQueryValueKey  (412,  (412, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   420   NtQueryValueKey  (412,  (412, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   420   NtQueryValueKey  (412,  (412, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   420   NtQueryValueKey  (412,  (412, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   420   NtQueryValueKey  (412,  (412, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   420   NtQueryValueKey  (412,  (412, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   420   NtQueryValueKey  (412,  (412, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 416, ) }, ... 416, ) == 0x0
 02242   420   NtQueryValueKey  (416,  (416, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02243   420   NtClose  (416, ... ) == 0x0
 02244   420   NtClose  (408, ... ) == 0x0
 02245   420   NtClose  (412, ... ) == 0x0
 02246   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 412, ) }, ... 412, ) == 0x0
 02247   420   NtQueryValueKey  (412,  (412, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02248   420   NtQueryValueKey  (412,  (412, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02249   420   NtQueryValueKey  (412,  (412, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02250   420   NtClose  (412, ... ) == 0x0
 02251   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 412, ) == 0x0
 02252   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 408, ) == 0x0
 02253   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 416, ) == 0x0
 02254   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02255   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41287680, 65536, ) == 0x0
 02256   420   NtAllocateVirtualMemory  (-1, 41287680, 0, 4096, 4096, 4, ... 41287680, 4096, ) == 0x0
 02257   420   NtAllocateVirtualMemory  (-1, 41291776, 0, 8192, 4096, 4, ... 41291776, 8192, ) == 0x0
 02258   420   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 420, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 420, {status=0x0, info=0}, ) == 0x0
 02259   420   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 424, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 424, {status=0x0, info=0}, ) == 0x0
 02260   420   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 02261   420   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 432, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 432, {status=0x0, info=0}, ) == 0x0
 02262   420   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1243200,  (0x20100080, {24, 0, 0x40, 0, 1243200, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=0}, ) == 0x0
 02263   420   NtAllocateVirtualMemory  (-1, 41299968, 0, 36864, 4096, 4, ... 41299968, 36864, ) == 0x0
 02264   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02265   420   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02266   420   NtClose  (440, ... ) == 0x0
 02267   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02268   420   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\251\235*\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\251\235*\273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 02269   420   NtClose  (440, ... ) == 0x0
 02270   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02271   420   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\312\235*\273\31j\10\0\356\1\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\33\240\0\0O\1\0\0+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (420, 440, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\312\235*\273\31j\10\0\356\1\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\33\240\0\0O\1\0\0+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 02272   420   NtClose  (440, ... ) == 0x0
 02273   420   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02275   420   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (420, 440, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02276   420   NtClose  (440, ... ) == 0x0
 02277   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02278   420   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 02279   420   NtClose  (440, ... ) == 0x0
 02280   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 440, ) == 0x0
 02281   420   NtDeviceIoControlFile  (420, 440, 0x0, 0x0, 0x120003,  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (420, 440, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 02282   420   NtClose  (440, ... ) == 0x0
 02283   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02284   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02285   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02286   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02287   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02288   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02289   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02290   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02291   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02292   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02293   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02294   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02295   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02296   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02297   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02298   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02299   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02300   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02301   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02302   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02303   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02304   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02305   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02306   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02307   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02308   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02309   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02310   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02311   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02312   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02313   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02314   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02315   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02316   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02317   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02318   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02319   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02320   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02321   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02322   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02323   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02324   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02325   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02326   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02327   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02328   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02329   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02330   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02331   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02332   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02333   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02334   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02335   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02336   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02337   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02338   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02339   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02340   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02341   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02342   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02343   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02344   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02345   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02346   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02347   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02348   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02349   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02350   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02351   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02352   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02353   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02354   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02355   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02356   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02357   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02358   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02359   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02360   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02361   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02362   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02363   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02364   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02365   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02366   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02367   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02368   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02369   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02370   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02371   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02372   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02373   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02374   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02375   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02376   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02377   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02378   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02379   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02380   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02381   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02382   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02383   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02384   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02385   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02386   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02387   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02388   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02389   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02390   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02391   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02392   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02393   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02394   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02395   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02396   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02397   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02398   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02399   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02400   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02401   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02402   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02403   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41418752, 65536, ) == 0x0
 02404   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02405   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 1, 4096, 4, ... 41418752, 4096, ) == 0x0
 02406   420   NtQueryVirtualMemory  (-1, 0x2780000, Basic, 28, ... {BaseAddress=0x2780000,AllocationBase=0x2780000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02407   420   NtFreeVirtualMemory  (-1, (0x2780000), 0, 32768, ... (0x2780000), 65536, ) == 0x0
 02408   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 440, ) }, ... 440, ) == 0x0
 02409   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 444, ) }, ... 444, ) == 0x0
 02410   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 448, ) }, ... 448, ) == 0x0
 02411   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 452, ) }, ... 452, ) == 0x0
 02412   420   NtQueryDefaultLocale  (1, 1243136, ... ) == 0x0
 02413   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 456, ) }, ... 456, ) == 0x0
 02414   420   NtMapViewOfSection  (456, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 02415   420   NtClose  (456, ... ) == 0x0
 02416   420   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 456, ) == 0x0
 02417   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 460, ) == 0x0
 02418   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 464, ) }, ... 464, ) == 0x0
 02419   420   NtNotifyChangeKey  (464, 460, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 02420   420   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 02421   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 468, ) == 0x0
 02422   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 472, ) == 0x0
 02423   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02425   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 02427   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 476, {status=0x0, info=1}, ) }, 5, 96, ... 476, {status=0x0, info=1}, ) == 0x0
 02428   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 476, ... 480, ) == 0x0
 02429   420   NtQuerySection  (480, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02430   420   NtClose  (476, ... ) == 0x0
 02431   420   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 02432   420   NtClose  (480, ... ) == 0x0
 02433   420   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 02434   420   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 02435   420   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 02436   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 480, ) }, ... 480, ) == 0x0
 02437   420   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 02438   420   NtClose  (480, ... ) == 0x0
 02439   420   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02440   420   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02441   420   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 02442   420   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 02443   420   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 02444   420   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 02445   420   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02446   420   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02447   420   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02448   420   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02449   420   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02450   420   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02451   420   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02452   420   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02453   420   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02454   420   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02455   420   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02456   420   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02457   420   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02458   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02459   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02460   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02461   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02462   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 41418752, 262144, ) == 0x0
 02463   420   NtAllocateVirtualMemory  (-1, 41418752, 0, 4096, 4096, 4, ... 41418752, 4096, ) == 0x0
 02464   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02465   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 41680896, 262144, ) == 0x0
 02466   420   NtAllocateVirtualMemory  (-1, 41680896, 0, 4096, 4096, 4, ... 41680896, 4096, ) == 0x0
 02467   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02468   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 41943040, 262144, ) == 0x0
 02469   420   NtAllocateVirtualMemory  (-1, 41943040, 0, 4096, 4096, 4, ... 41943040, 4096, ) == 0x0
 02470   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02471   420   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 42205184, 262144, ) == 0x0
 02472   420   NtAllocateVirtualMemory  (-1, 42205184, 0, 4096, 4096, 4, ... 42205184, 4096, ) == 0x0
 02473   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02474   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02475   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02476   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02477   420   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02478   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237980, ... ) }, 1237980, ... ) == 0x0
 02479   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 480, {status=0x0, info=1}, ) }, 5, 96, ... 480, {status=0x0, info=1}, ) == 0x0
 02480   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 480, ... 476, ) == 0x0
 02481   420   NtClose  (480, ... ) == 0x0
 02482   420   NtMapViewOfSection  (476, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2880000), 0x0, 90112, ) == 0x0
 02483   420   NtClose  (476, ... ) == 0x0
 02484   420   NtUnmapViewOfSection  (-1, 0x2880000, ... ) == 0x0
 02485   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1238296, ... ) }, 1238296, ... ) == 0x0
 02486   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 476, {status=0x0, info=1}, ) }, 5, 96, ... 476, {status=0x0, info=1}, ) == 0x0
 02487   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 476, ... 480, ) == 0x0
 02488   420   NtQuerySection  (480, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02489   420   NtClose  (476, ... ) == 0x0
 02490   420   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 02491   420   NtClose  (480, ... ) == 0x0
 02492   420   NtQueryDefaultLocale  (1, 1239984, ... ) == 0x0
 02493   420   NtAllocateVirtualMemory  (-1, 41422848, 0, 4096, 4096, 4, ... 41422848, 4096, ) == 0x0
 02494   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE"}, ... 480, ) }, ... 480, ) == 0x0
 02495   420   NtClose  (480, ... ) == 0x0
 02496   420   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02497   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02498   420   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02499   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "psapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02501   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\psapi.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "psapi.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 02504   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\psapi.dll"}, 5, 96, ... 480, {status=0x0, info=1}, ) }, 5, 96, ... 480, {status=0x0, info=1}, ) == 0x0
 02505   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 480, ... 476, ) == 0x0
 02506   420   NtQuerySection  (476, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02507   420   NtClose  (480, ... ) == 0x0
 02508   420   NtMapViewOfSection  (476, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 02509   420   NtClose  (476, ... ) == 0x0
 02510   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "pstorec.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02511   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\pstorec.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02512   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "pstorec.dll"}, 1242008, ... ) }, 1242008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02513   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 1242008, ... ) }, 1242008, ... ) == 0x0
 02514   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pstorec.dll"}, 5, 96, ... 476, {status=0x0, info=1}, ) }, 5, 96, ... 476, {status=0x0, info=1}, ) == 0x0
 02515   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 476, ... 480, ) == 0x0
 02516   420   NtQuerySection  (480, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02517   420   NtClose  (476, ... ) == 0x0
 02518   420   NtMapViewOfSection  (480, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 02519   420   NtClose  (480, ... ) == 0x0
 02520   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02521   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02522   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\regent.exe"}, 1243132, ... ) }, 1243132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242044,  (0x80100080, {24, 0, 0x40, 0, 1242044, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 480, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 480, {status=0x0, info=1}, ) == 0x0
 02524   420   NtQueryInformationFile  (480, 1242980, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02525   420   NtQueryInformationFile  (480, 1242952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02526   420   NtQueryInformationFile  (480, 1242904, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02527   420   NtAllocateVirtualMemory  (-1, 1388544, 0, 8192, 4096, 4, ... 1388544, 8192, ) == 0x0
 02528   420   NtQueryInformationFile  (480, 1385320, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02529   420   NtQueryInformationFile  (480, 1241448, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02530   420   NtQueryInformationFile  (480, 1241292, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02531   420   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241300,  (0x40110080, {24, 0, 0x40, 0, 1241300, "\??\C:\WINDOWS\regent.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02532   420   NtClose  (-2147482020, ... ) == 0x0
 02531   420   NtCreateFile  ... 476, {status=0x0, info=2}, ) == 0x0
 02533   420   NtQueryVolumeInformationFile  (476, 1240672, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02534   420   NtQueryInformationFile  (476, 1240632, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02535   420   NtQueryVolumeInformationFile  (480, 1240672, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02536   420   NtQueryVolumeInformationFile  (480, 1240356, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02537   420   NtSetInformationFile  (476, 1240460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02538   420   NtAllocateVirtualMemory  (-1, 1396736, 0, 65536, 4096, 4, ... 1396736, 65536, ) == 0x0
 02539   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\0\0\0\321\370\216\370\225\231\340\253\225\231\340\253\225\231\340\253\356\205\354\253\226\231\340\253\26\205\356\253\220\231\340\253}\206\352\253\236\231\340\253V\226\275\253\223\231\340\253\225\231\341\2534\231\340\253}\206\344\253\220\231\340\253}\206\353\253\265\231\340\253Rich\225\231\340\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0k\317jF\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\1\0\0\340\6\0\0\0\0\0\24P\10\0\0\20\0\0\0@\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\30\0\0\4\0\0@\301\10\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24@\10\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0 \10\0\0\20\0\0\0\316\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc   \0\20\0\0\00\10\0\0\0\0\0\0\336\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ida", ) , ) == 0x0
 02540   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\0\0\0\321\370\216\370\225\231\340\253\225\231\340\253\225\231\340\253\356\205\354\253\226\231\340\253\26\205\356\253\220\231\340\253}\206\352\253\236\231\340\253V\226\275\253\223\231\340\253\225\231\341\2534\231\340\253}\206\344\253\220\231\340\253}\206\353\253\265\231\340\253Rich\225\231\340\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0k\317jF\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\1\0\0\340\6\0\0\0\0\0\24P\10\0\0\20\0\0\0@\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\30\0\0\4\0\0@\301\10\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24@\10\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0 \10\0\0\20\0\0\0\316\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc   \0\20\0\0\00\10\0\0\0\0\0\0\336\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ida", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02541   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, " H3\361\206\0\274\344$\279#\201\221\210w\242\222LX\352\320\235+\0w\213\303\17\31\23\364\2370\206\250@0\271\276@t^\3$\354\13\4\222\203\320\223\216T\0\304\3164\314l\217\303\10\0\17\364\260\301v$\202\36\0\271\312\206\220\377d\357\353&\13\128\22\306.\224\272\17\2145\203\264s\276\260f$\372\0 \4\223\203q\217t\25\376\262\0w\334\255\221\16\11\10\1\1]\323}\36P-\270\3048\326\0\355\22\335\343\6\367^\321\7\200\241uZ\247\216ox@\227\10\25%\2", ) , ) == 0x0
 02542   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, " H3\361\206\0\274\344$\279#\201\221\210w\242\222LX\352\320\235+\0w\213\303\17\31\23\364\2370\206\250@0\271\276@t^\3$\354\13\4\222\203\320\223\216T\0\304\3164\314l\217\303\10\0\17\364\260\301v$\202\36\0\271\312\206\220\377d\357\353&\13\128\22\306.\224\272\17\2145\203\264s\276\260f$\372\0 \4\223\203q\217t\25\376\262\0w\334\255\221\16\11\10\1\1]\323}\36P-\270\3048\326\0\355\22\335\343\6\367^\321\7\200\241uZ\247\216ox@\227\10\25%\2", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02543   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\377\1\\353\1+.\1\377\230\210\10\1F\25\26\274\20\14K\20\216d\31\2052\10\2S\344\265\30\201\206>\10.\324\200\5/\200L#\201\213\306\3\327\216Qx\220\230x$!\232\244\201\266\210\221q\220\14>\2670\374c\317\10p\260\20\30\233\333\20@\361\31\337\224q\24\1\307\250\210\30l\30\14&\341\20\232AP\351D\210\10\350\301\12\306\230\374\230\312\20C\326\312\10\314\370\210\237:\14\260\233(\363c\326\10\300\214\22\30[UX,)\27\242\200\211\200\371\2\263\7\273\30\14,\20\371\235\306()\340\10$\6\257\210\261\301\252\243\3X\30\251\3\5\10\320J\200 \331\306(f\263\10 L\32533a \207\209\336\334\30)\320 \24\373\306\10\217H\30$\315,\234\230\337\30\235\353\310I\230\10\252Q9\240tyF\201\372$L\253@C\215\253\324\342&\2}\362\5vD\250VT\4\230\270\4\275\355\6M\3\20\351W\200\206\246\31\210\354\301\10\200S\303\200P"\200o\361\321q\360s@iG@9a\222\360g\4\371\260\34A\304\304\10\14\233\223\34\316\20\20\251q\22znHx\254\10\14u\10pc\10_#\14\22\3218D@e\307b\363\20ZX\3:?\20\10\335\314*8\210T!\260\316@\273\3@\321`\23\234\374\350$\244\256\340H\207\313.\213\320\130d\204\20;G,\6u\2\353\23\211\167\271\247=\240\5\1D\217\1@I\13\311u\367\213a\343\307\240\336\3\3601\271\113\300\340\17\2614O0,\376\300_\351>8\300&h/1\347j{^0?\2108[\4C\265x\32\351\360\10\271\267\321R\144R<_\0@\5\326v\223H5Z\23\350\6\311\262~\14\351T\27,\272\27\236<\25\6\307\23\255N\277h$\264\367\366Be(*", ) \200o\361\321q\360s@iG@9a\222\360g\4\371\260\34A\304\304\10\14\233\223\34\316\20\20\251q\22znHx\254\10\14u\10pc\10_#\14\22\3218D@e\307b\363\20ZX\3:?\20\10\335\314*8\210T!\260\316@\273\3@\321`\23\234\374\350$\244\256\340H\207\313.\213\320\130d\204\20;G,\6u\2\353\23\211\167\271\247=\240\5\1D\217\1@I\13\311u\367\213a\343\307\240\336\3\3601\271\113\300\340\17\2614O0,\376\300_\351>8\300&h/1\347j{^0?\2108[\4C\265x\32\351\360\10\271\267\321R\144R<_\0@\5\326v\223H5Z\23\350\6\311\262~\14\351T\27,\272\27\236<\25\6\307\23\255N\277h$\264\367\366Be(*", ) == 0x0
 02544   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\377\1\\353\1+.\1\377\230\210\10\1F\25\26\274\20\14K\20\216d\31\2052\10\2S\344\265\30\201\206>\10.\324\200\5/\200L#\201\213\306\3\327\216Qx\220\230x$!\232\244\201\266\210\221q\220\14>\2670\374c\317\10p\260\20\30\233\333\20@\361\31\337\224q\24\1\307\250\210\30l\30\14&\341\20\232AP\351D\210\10\350\301\12\306\230\374\230\312\20C\326\312\10\314\370\210\237:\14\260\233(\363c\326\10\300\214\22\30[UX,)\27\242\200\211\200\371\2\263\7\273\30\14,\20\371\235\306()\340\10$\6\257\210\261\301\252\243\3X\30\251\3\5\10\320J\200 \331\306(f\263\10 L\32533a \207\209\336\334\30)\320 \24\373\306\10\217H\30$\315,\234\230\337\30\235\353\310I\230\10\252Q9\240tyF\201\372$L\253@C\215\253\324\342&\2}\362\5vD\250VT\4\230\270\4\275\355\6M\3\20\351W\200\206\246\31\210\354\301\10\200S\303\200P"\200o\361\321q\360s@iG@9a\222\360g\4\371\260\34A\304\304\10\14\233\223\34\316\20\20\251q\22znHx\254\10\14u\10pc\10_#\14\22\3218D@e\307b\363\20ZX\3:?\20\10\335\314*8\210T!\260\316@\273\3@\321`\23\234\374\350$\244\256\340H\207\313.\213\320\130d\204\20;G,\6u\2\353\23\211\167\271\247=\240\5\1D\217\1@I\13\311u\367\213a\343\307\240\336\3\3601\271\113\300\340\17\2614O0,\376\300_\351>8\300&h/1\347j{^0?\2108[\4C\265x\32\351\360\10\271\267\321R\144R<_\0@\5\326v\223H5Z\23\350\6\311\262~\14\351T\27,\272\27\236<\25\6\307\23\255N\277h$\264\367\366Be(*", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \200o\361\321q\360s@iG@9a\222\360g\4\371\260\34A\304\304\10\14\233\223\34\316\20\20\251q\22znHx\254\10\14u\10pc\10_#\14\22\3218D@e\307b\363\20ZX\3:?\20\10\335\314*8\210T!\260\316@\273\3@\321`\23\234\374\350$\244\256\340H\207\313.\213\320\130d\204\20;G,\6u\2\353\23\211\167\271\247=\240\5\1D\217\1@I\13\311u\367\213a\343\307\240\336\3\3601\271\113\300\340\17\2614O0,\376\300_\351>8\300&h/1\347j{^0?\2108[\4C\265x\32\351\360\10\271\267\321R\144R<_\0@\5\326v\223H5Z\23\350\6\311\262~\14\351T\27,\272\27\236<\25\6\307\23\255N\277h$\264\367\366Be(*", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02545   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\2dXrn\377\2\3\22W\300\27\2377\237V\202\313\325\276a\225\XZw\315\247-_\241X\351\3703n\243\241\326\254\270B\12N\330\20\351%-\270\251D]Pi\303\14\230R\\263\1\345\20\277\10\13\351~\361\224g\20h1K\27\351\10\261\306+\242Z\203h\16.\20'\305~^\372D\367\236V\265,\350\37r\1\7Qh\215J\362ZC\272\311\271%\15\305I\334\341\261\242SM\301\4\354:\24G\257\350\334J\366A\0\271?\247\250\36\351\211Ns\270\10\271z\204!c\335h\213\21\204\272\346\2K\342\251\304\263\374\275;\36\357+R\253\341\11>\374\311\360\351mF\2227\357\255"\365\270\12\351qcm%\35[\13\25!\330\376vi\347\313\3222\177\12\330\0OXfM\275L>%\353\333\255\33s\16\347IwV\317\345\303rG\23\340\305\243\323\26\31\366)\11YX\302\273uj\32aR\342\24\213)whXVT\36\351.\211q\240\261[z\250f/\317\200\317\366\327\206\371\227\340\321\351\273\347\360\237(\225E5\255\376e\223\207\12\335s\223o\5\24\61\320\262\210`t\237@\230\275\4\21QfKM\256T\21\276\30\337B\3542\36\5\270\275\351\21\307\277\3451\373\247\220\250c(1\2201\366/]\276\301;\357\213L\301\376Q5\10\375\221\23X\354\353\360f\367\341\220\17'\264\26\364\356\342\256\355\335\24\364 \22\16\26h\233C\214N\337A\316\327\342\266\376\311\357f\315\277\26\1\275\252{\221O\270\256\202\13)\350\351\312X\200\234\223\15\322\11P\7\315\342f^l\227\3\345ktZ\1\332\372\177\326p\27\277\272@q\5\202-uM:)\370\320\7\3510\274k,\270Q\2242=\220"_}B5_\3207\365o\242B\20\260e_\273!7\317", ) \365\270\12\351qcm%\35[\13\25!\330\376vi\347\313\3222\177\12\330\0OXfM\275L>%\353\333\255\33s\16\347IwV\317\345\303rG\23\340\305\243\323\26\31\366)\11YX\302\273uj\32aR\342\24\213)whXVT\36\351.\211q\240\261[z\250f/\317\200\317\366\327\206\371\227\340\321\351\273\347\360\237(\225E5\255\376e\223\207\12\335s\223o\5\24\61\320\262\210`t\237@\230\275\4\21QfKM\256T\21\276\30\337B\3542\36\5\270\275\351\21\307\277\3451\373\247\220\250c(1\2201\366/]\276\301;\357\213L\301\376Q5\10\375\221\23X\354\353\360f\367\341\220\17'\264\26\364\356\342\256\355\335\24\364 \22\16\26h\233C\214N\337A\316\327\342\266\376\311\357f\315\277\26\1\275\252{\221O\270\256\202\13)\350\351\312X\200\234\223\15\322\11P\7\315\342f^l\227\3\345ktZ\1\332\372\177\326p\27\277\272@q\5\202-uM:)\370\320\7\3510\274k,\270Q\2242=\220 (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\2dXrn\377\2\3\22W\300\27\2377\237V\202\313\325\276a\225\XZw\315\247-_\241X\351\3703n\243\241\326\254\270B\12N\330\20\351%-\270\251D]Pi\303\14\230R\\263\1\345\20\277\10\13\351~\361\224g\20h1K\27\351\10\261\306+\242Z\203h\16.\20'\305~^\372D\367\236V\265,\350\37r\1\7Qh\215J\362ZC\272\311\271%\15\305I\334\341\261\242SM\301\4\354:\24G\257\350\334J\366A\0\271?\247\250\36\351\211Ns\270\10\271z\204!c\335h\213\21\204\272\346\2K\342\251\304\263\374\275;\36\357+R\253\341\11>\374\311\360\351mF\2227\357\255"\365\270\12\351qcm%\35[\13\25!\330\376vi\347\313\3222\177\12\330\0OXfM\275L>%\353\333\255\33s\16\347IwV\317\345\303rG\23\340\305\243\323\26\31\366)\11YX\302\273uj\32aR\342\24\213)whXVT\36\351.\211q\240\261[z\250f/\317\200\317\366\327\206\371\227\340\321\351\273\347\360\237(\225E5\255\376e\223\207\12\335s\223o\5\24\61\320\262\210`t\237@\230\275\4\21QfKM\256T\21\276\30\337B\3542\36\5\270\275\351\21\307\277\3451\373\247\220\250c(1\2201\366/]\276\301;\357\213L\301\376Q5\10\375\221\23X\354\353\360f\367\341\220\17'\264\26\364\356\342\256\355\335\24\364 \22\16\26h\233C\214N\337A\316\327\342\266\376\311\357f\315\277\26\1\275\252{\221O\270\256\202\13)\350\351\312X\200\234\223\15\322\11P\7\315\342f^l\227\3\345ktZ\1\332\372\177\326p\27\277\272@q\5\202-uM:)\370\320\7\3510\274k,\270Q\2242=\220"_}B5_\3207\365o\242B\20\260e_\273!7\317", ) , ) == 0x0
 02546   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\2dXrn\377\2\3\22W\300\27\2377\237V\202\313\325\276a\225\XZw\315\247-_\241X\351\3703n\243\241\326\254\270B\12N\330\20\351%-\270\251D]Pi\303\14\230R\\263\1\345\20\277\10\13\351~\361\224g\20h1K\27\351\10\261\306+\242Z\203h\16.\20'\305~^\372D\367\236V\265,\350\37r\1\7Qh\215J\362ZC\272\311\271%\15\305I\334\341\261\242SM\301\4\354:\24G\257\350\334J\366A\0\271?\247\250\36\351\211Ns\270\10\271z\204!c\335h\213\21\204\272\346\2K\342\251\304\263\374\275;\36\357+R\253\341\11>\374\311\360\351mF\2227\357\255"\365\270\12\351qcm%\35[\13\25!\330\376vi\347\313\3222\177\12\330\0OXfM\275L>%\353\333\255\33s\16\347IwV\317\345\303rG\23\340\305\243\323\26\31\366)\11YX\302\273uj\32aR\342\24\213)whXVT\36\351.\211q\240\261[z\250f/\317\200\317\366\327\206\371\227\340\321\351\273\347\360\237(\225E5\255\376e\223\207\12\335s\223o\5\24\61\320\262\210`t\237@\230\275\4\21QfKM\256T\21\276\30\337B\3542\36\5\270\275\351\21\307\277\3451\373\247\220\250c(1\2201\366/]\276\301;\357\213L\301\376Q5\10\375\221\23X\354\353\360f\367\341\220\17'\264\26\364\356\342\256\355\335\24\364 \22\16\26h\233C\214N\337A\316\327\342\266\376\311\357f\315\277\26\1\275\252{\221O\270\256\202\13)\350\351\312X\200\234\223\15\322\11P\7\315\342f^l\227\3\345ktZ\1\332\372\177\326p\27\277\272@q\5\202-uM:)\370\320\7\3510\274k,\270Q\2242=\220"_}B5_\3207\365o\242B\20\260e_\273!7\317", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \365\270\12\351qcm%\35[\13\25!\330\376vi\347\313\3222\177\12\330\0OXfM\275L>%\353\333\255\33s\16\347IwV\317\345\303rG\23\340\305\243\323\26\31\366)\11YX\302\273uj\32aR\342\24\213)whXVT\36\351.\211q\240\261[z\250f/\317\200\317\366\327\206\371\227\340\321\351\273\347\360\237(\225E5\255\376e\223\207\12\335s\223o\5\24\61\320\262\210`t\237@\230\275\4\21QfKM\256T\21\276\30\337B\3542\36\5\270\275\351\21\307\277\3451\373\247\220\250c(1\2201\366/]\276\301;\357\213L\301\376Q5\10\375\221\23X\354\353\360f\367\341\220\17'\264\26\364\356\342\256\355\335\24\364 \22\16\26h\233C\214N\337A\316\327\342\266\376\311\357f\315\277\26\1\275\252{\221O\270\256\202\13)\350\351\312X\200\234\223\15\322\11P\7\315\342f^l\227\3\345ktZ\1\332\372\177\326p\27\277\272@q\5\202-uM:)\370\320\7\3510\274k,\270Q\2242=\220 (476, 0, 0, 0, "\2dXrn\377\2\3\22W\300\27\2377\237V\202\313\325\276a\225\XZw\315\247-_\241X\351\3703n\243\241\326\254\270B\12N\330\20\351%-\270\251D]Pi\303\14\230R\\263\1\345\20\277\10\13\351~\361\224g\20h1K\27\351\10\261\306+\242Z\203h\16.\20'\305~^\372D\367\236V\265,\350\37r\1\7Qh\215J\362ZC\272\311\271%\15\305I\334\341\261\242SM\301\4\354:\24G\257\350\334J\366A\0\271?\247\250\36\351\211Ns\270\10\271z\204!c\335h\213\21\204\272\346\2K\342\251\304\263\374\275;\36\357+R\253\341\11>\374\311\360\351mF\2227\357\255"\365\270\12\351qcm%\35[\13\25!\330\376vi\347\313\3222\177\12\330\0OXfM\275L>%\353\333\255\33s\16\347IwV\317\345\303rG\23\340\305\243\323\26\31\366)\11YX\302\273uj\32aR\342\24\213)whXVT\36\351.\211q\240\261[z\250f/\317\200\317\366\327\206\371\227\340\321\351\273\347\360\237(\225E5\255\376e\223\207\12\335s\223o\5\24\61\320\262\210`t\237@\230\275\4\21QfKM\256T\21\276\30\337B\3542\36\5\270\275\351\21\307\277\3451\373\247\220\250c(1\2201\366/]\276\301;\357\213L\301\376Q5\10\375\221\23X\354\353\360f\367\341\220\17'\264\26\364\356\342\256\355\335\24\364 \22\16\26h\233C\214N\337A\316\327\342\266\376\311\357f\315\277\26\1\275\252{\221O\270\256\202\13)\350\351\312X\200\234\223\15\322\11P\7\315\342f^l\227\3\345ktZ\1\332\372\177\326p\27\277\272@q\5\202-uM:)\370\320\7\3510\274k,\270Q\2242=\220"_}B5_\3207\365o\242B\20\260e_\273!7\317", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02547   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\325\202{qlC\274\354<\260\5JSpn\177\4\260\355\206\277#hg\332( \215\3255\223\371{%P\255\310\271{\2\252\12\277\366\330\2240\234\303\311\37\233\263\6\214\6d\335\244\300 Z\356\304X\247\256\350d\4\206\343\4\324\11$\300 \345x\\222`N\233 \300\330\26<%\303u\23\0\321C\34\251\275\260+\325_f\210Hm\23Rp7\254p\5\303\362\273T\355\224\304\355\360\270\244\200\201\351I\33|\265 t\305\235\343\260N\10\216\14N\332\264\234@L\255\334c\320\344\11\244\315\277xg\360\304\354w\1\22\332\26p\14l\34P\320\277\240\11\265\376\203O\321\14\203w\314\317\32\22 \233<\322H\320 \377\16eV\7\14\2646\23\273\341C\24NL(\246\212U7D\1\23\311\307-\365\370.\217N`\0\244\371}d_?\226\24/\267@\3\23C5\327\210W\377\,\277\222\320\216\206\271j\375\240'{$q\3\320\7\345\03\245(\360\267\373o\263\224\320\2\237R2\233\334,\200\323\213\270M\242\354\4\25\375\346\37\217\275\330"0\13\301\252\357\363\333\264\200\30\233\4<\335\360\22\353\344\316\3\250d3D\203\25\240!\204\245\37\200\276\202J\373\311\310tF\3179>\200ix\231\357\2\207\326\276\304\4\1\260\317\240\300\345cC\261\376\251\305\374\200\212\325\323\0e\231,H\245\27\0\2630}\36\13OA\16\230\300\1\10J\347\215\227\353KT\210\316\300\337\32\300\357\0k\30\217\356\270\247\25\355%O\15\344\220\13\333\362\233\351%\234:\201\10\24\345{WT\232(\300#\365\356\341\265z&\16~\37y\26=\216\357\360\353d*\200a\346\260\340\370z7\1J(C\227\256\372\315V\204\334\1CG\237B\\324}Et\4\34\273\357I\317\362\340%\313\31\315", ) 0\13\301\252\357\363\333\264\200\30\233\4<\335\360\22\353\344\316\3\250d3D\203\25\240!\204\245\37\200\276\202J\373\311\310tF\3179>\200ix\231\357\2\207\326\276\304\4\1\260\317\240\300\345cC\261\376\251\305\374\200\212\325\323\0e\231,H\245\27\0\2630}\36\13OA\16\230\300\1\10J\347\215\227\353KT\210\316\300\337\32\300\357\0k\30\217\356\270\247\25\355%O\15\344\220\13\333\362\233\351%\234:\201\10\24\345{WT\232(\300#\365\356\341\265z&\16~\37y\26=\216\357\360\353d*\200a\346\260\340\370z7\1J(C\227\256\372\315V\204\334\1CG\237B\\324}Et\4\34\273\357I\317\362\340%\313\31\315", ) == 0x0
 02548   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\325\202{qlC\274\354<\260\5JSpn\177\4\260\355\206\277#hg\332( \215\3255\223\371{%P\255\310\271{\2\252\12\277\366\330\2240\234\303\311\37\233\263\6\214\6d\335\244\300 Z\356\304X\247\256\350d\4\206\343\4\324\11$\300 \345x\\222`N\233 \300\330\26<%\303u\23\0\321C\34\251\275\260+\325_f\210Hm\23Rp7\254p\5\303\362\273T\355\224\304\355\360\270\244\200\201\351I\33|\265 t\305\235\343\260N\10\216\14N\332\264\234@L\255\334c\320\344\11\244\315\277xg\360\304\354w\1\22\332\26p\14l\34P\320\277\240\11\265\376\203O\321\14\203w\314\317\32\22 \233<\322H\320 \377\16eV\7\14\2646\23\273\341C\24NL(\246\212U7D\1\23\311\307-\365\370.\217N`\0\244\371}d_?\226\24/\267@\3\23C5\327\210W\377\,\277\222\320\216\206\271j\375\240'{$q\3\320\7\345\03\245(\360\267\373o\263\224\320\2\237R2\233\334,\200\323\213\270M\242\354\4\25\375\346\37\217\275\330"0\13\301\252\357\363\333\264\200\30\233\4<\335\360\22\353\344\316\3\250d3D\203\25\240!\204\245\37\200\276\202J\373\311\310tF\3179>\200ix\231\357\2\207\326\276\304\4\1\260\317\240\300\345cC\261\376\251\305\374\200\212\325\323\0e\231,H\245\27\0\2630}\36\13OA\16\230\300\1\10J\347\215\227\353KT\210\316\300\337\32\300\357\0k\30\217\356\270\247\25\355%O\15\344\220\13\333\362\233\351%\234:\201\10\24\345{WT\232(\300#\365\356\341\265z&\16~\37y\26=\216\357\360\353d*\200a\346\260\340\370z7\1J(C\227\256\372\315V\204\334\1CG\237B\\324}Et\4\34\273\357I\317\362\340%\313\31\315", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 0\13\301\252\357\363\333\264\200\30\233\4<\335\360\22\353\344\316\3\250d3D\203\25\240!\204\245\37\200\276\202J\373\311\310tF\3179>\200ix\231\357\2\207\326\276\304\4\1\260\317\240\300\345cC\261\376\251\305\374\200\212\325\323\0e\231,H\245\27\0\2630}\36\13OA\16\230\300\1\10J\347\215\227\353KT\210\316\300\337\32\300\357\0k\30\217\356\270\247\25\355%O\15\344\220\13\333\362\233\351%\234:\201\10\24\345{WT\232(\300#\365\356\341\265z&\16~\37y\26=\216\357\360\353d*\200a\346\260\340\370z7\1J(C\227\256\372\315V\204\334\1CG\237B\\324}Et\4\34\273\357I\317\362\340%\313\31\315", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02549   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\0]|\324\213o\31\270z\0Gq\16\327\256\267\325\240\342\275\30\353\272n)\223\33\210\\27\211Q\10\302De\307D\32WD\242\15\204\20\322-\203!\313\10\24p\220\11\202\7\273}\2_/\7:0&\32\220Rw\242\0\332\243\207\316\357\313\367\36\0{\365Y\250\340h\300\303\0\334\217\223\213\315\236c\372\0?/3-\255\357}r\0Z\211[\352\257(#\6\7\244\245m\364\300p\377&X4\0\25K\12\11\210\226N]\0<\31\304\312Q\262\240\342>\6\200\366@L/\357B5\11\275\330\346\235\\6\0?\253Q\273\227f\0F_\215@c\373\304\367\0\326\332\353m68YA\09\253\203F}\331]e\0Ht\226g\227dk\367>~#\1\237\223\275\242\352\270|\203\0\330\323\353\320\345\344\213\34\262.\226\200\312\331:\361\\274\1\35\346\233?\220\301\235 \20\341(\370{\272\35\327\374\217@\12\2310B\306h\0b\266\305\215q\271\376\15y\354\0\330\262\255>\307|5\356pp\265X\273\16\343P<\277c'\37r\350\16\364w\0\2243J\243\233i\345\323\0\250\5E\21\200\212s\344\36\310\352]\300\11\376\224\334\302\314\23&\277\373\0Y\317\305\352\207\235H\337`\0\213\325\347\200r\11a\0\370\360\216\346\211\235\375g\0\260\332\234\376\311&\307\262\0)\223\230\274J\341\224l{\256\0d?\363}\244\240\237\13\16x\265\233\251 \353\23\253O\314\16\35\214\5g\300n\213\235\205,\0Y?zN\351\225\334^\3\24\23\30\6=\306\240\245\4n\2\277\314r(\20\244`\332\305\346\1\357\252\205D\272\235_@\224\276\321 \0\243B\34R\256\14l\340\0\330{\3\372\260\32\250\2308\20\6\216\243\231\16\274\4\376\354G\2224Q\\366\0\314(E_'\200\0y", ) , ) == 0x0
 02550   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\0]|\324\213o\31\270z\0Gq\16\327\256\267\325\240\342\275\30\353\272n)\223\33\210\\27\211Q\10\302De\307D\32WD\242\15\204\20\322-\203!\313\10\24p\220\11\202\7\273}\2_/\7:0&\32\220Rw\242\0\332\243\207\316\357\313\367\36\0{\365Y\250\340h\300\303\0\334\217\223\213\315\236c\372\0?/3-\255\357}r\0Z\211[\352\257(#\6\7\244\245m\364\300p\377&X4\0\25K\12\11\210\226N]\0<\31\304\312Q\262\240\342>\6\200\366@L/\357B5\11\275\330\346\235\\6\0?\253Q\273\227f\0F_\215@c\373\304\367\0\326\332\353m68YA\09\253\203F}\331]e\0Ht\226g\227dk\367>~#\1\237\223\275\242\352\270|\203\0\330\323\353\320\345\344\213\34\262.\226\200\312\331:\361\\274\1\35\346\233?\220\301\235 \20\341(\370{\272\35\327\374\217@\12\2310B\306h\0b\266\305\215q\271\376\15y\354\0\330\262\255>\307|5\356pp\265X\273\16\343P<\277c'\37r\350\16\364w\0\2243J\243\233i\345\323\0\250\5E\21\200\212s\344\36\310\352]\300\11\376\224\334\302\314\23&\277\373\0Y\317\305\352\207\235H\337`\0\213\325\347\200r\11a\0\370\360\216\346\211\235\375g\0\260\332\234\376\311&\307\262\0)\223\230\274J\341\224l{\256\0d?\363}\244\240\237\13\16x\265\233\251 \353\23\253O\314\16\35\214\5g\300n\213\235\205,\0Y?zN\351\225\334^\3\24\23\30\6=\306\240\245\4n\2\277\314r(\20\244`\332\305\346\1\357\252\205D\272\235_@\224\276\321 \0\243B\34R\256\14l\340\0\330{\3\372\260\32\250\2308\20\6\216\243\231\16\274\4\376\354G\2224Q\\366\0\314(E_'\200\0y", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02551   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\300\17t\7\225\16X\35\275\340.a@\252\300(\301\266\246CK\1\215\27n~\364\26\365.\7\3342\357\261zf\337\304\260J\0.\277\331-\354\243\367\1\0\336\200&je\2746\362\16\256\324\14\375\200O\307\203\27y\16@\247\7\2217\1\314 .\344\324`H\232\30l\15~(\321n\0j\260\14\222\263\6\311\23\35\366\370\371\16\327\204\3008\254\306\273\376\360\31\0HGC\212m\245\300\207\15\375\215\252\314I\330+\24\16`\2yi=\200\233;\310\3602\333\344\226\240\210uJ\7r\22I\337g`\234G\222i\0\304,\243\344\372|\255\25\16\257\5\225\333G\15F\301\343v\4 \34\37\%\25\0\301\242\202\23\350~D\17\(\232-\366\27\23\200HV\260\316\0\2\376\357\1\222?M\255\16`{\264\350"\24\363\240\306\2519\1\3\330\303\207\201R> L\264\3\340\307y(\12\35\3303\2449.I\275(\0b\220\7\363P\315\36E\311\342\303X\377\350C\360\31\317\352\0\212q\5\214'\234\364t\360n\1*\226ZA\351g^\345\230;@4\31 w\26\343\230\221\177\372\0\3061,/\210\374z\3q0\0)93\14~\34\206\236\0\205\116\316\361\215C\224\11\25\307\251\336\1\0f\345R\2000\265\260\327V\3357\225 8D\211S@\0\2375';\203 \261\243x\7\17/\370\17\266\300\226]_\372V\7k\343\27\21\347`\242\326\275\15=\377(\0\224z}\273<\205\370KW\7l\326\361\2456\2604c\17\317\63\236\300\226\322G\373\363\0\12\254/\13\326\240\14\217>*\256\5\274\6\336s\300Z\317\265H\1\330\201\207g:\16\301*\260\311\262\344\263\0\204\353T\227W\361\207'\0\336)\203?@Y\377\370`_ \314\305\201z\7y\33\307\352/", ) \24\363\240\306\2519\1\3\330\303\207\201R> L\264\3\340\307y(\12\35\3303\2449.I\275(\0b\220\7\363P\315\36E\311\342\303X\377\350C\360\31\317\352\0\212q\5\214'\234\364t\360n\1*\226ZA\351g^\345\230;@4\31 w\26\343\230\221\177\372\0\3061,/\210\374z\3q0\0)93\14~\34\206\236\0\205\116\316\361\215C\224\11\25\307\251\336\1\0f\345R\2000\265\260\327V\3357\225 8D\211S@\0\2375';\203 \261\243x\7\17/\370\17\266\300\226]_\372V\7k\343\27\21\347`\242\326\275\15=\377(\0\224z}\273<\205\370KW\7l\326\361\2456\2604c\17\317\63\236\300\226\322G\373\363\0\12\254/\13\326\240\14\217>*\256\5\274\6\336s\300Z\317\265H\1\330\201\207g:\16\301*\260\311\262\344\263\0\204\353T\227W\361\207'\0\336)\203?@Y\377\370`_ \314\305\201z\7y\33\307\352/", ) == 0x0
 02552   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\300\17t\7\225\16X\35\275\340.a@\252\300(\301\266\246CK\1\215\27n~\364\26\365.\7\3342\357\261zf\337\304\260J\0.\277\331-\354\243\367\1\0\336\200&je\2746\362\16\256\324\14\375\200O\307\203\27y\16@\247\7\2217\1\314 .\344\324`H\232\30l\15~(\321n\0j\260\14\222\263\6\311\23\35\366\370\371\16\327\204\3008\254\306\273\376\360\31\0HGC\212m\245\300\207\15\375\215\252\314I\330+\24\16`\2yi=\200\233;\310\3602\333\344\226\240\210uJ\7r\22I\337g`\234G\222i\0\304,\243\344\372|\255\25\16\257\5\225\333G\15F\301\343v\4 \34\37\%\25\0\301\242\202\23\350~D\17\(\232-\366\27\23\200HV\260\316\0\2\376\357\1\222?M\255\16`{\264\350"\24\363\240\306\2519\1\3\330\303\207\201R> L\264\3\340\307y(\12\35\3303\2449.I\275(\0b\220\7\363P\315\36E\311\342\303X\377\350C\360\31\317\352\0\212q\5\214'\234\364t\360n\1*\226ZA\351g^\345\230;@4\31 w\26\343\230\221\177\372\0\3061,/\210\374z\3q0\0)93\14~\34\206\236\0\205\116\316\361\215C\224\11\25\307\251\336\1\0f\345R\2000\265\260\327V\3357\225 8D\211S@\0\2375';\203 \261\243x\7\17/\370\17\266\300\226]_\372V\7k\343\27\21\347`\242\326\275\15=\377(\0\224z}\273<\205\370KW\7l\326\361\2456\2604c\17\317\63\236\300\226\322G\373\363\0\12\254/\13\326\240\14\217>*\256\5\274\6\336s\300Z\317\265H\1\330\201\207g:\16\301*\260\311\262\344\263\0\204\353T\227W\361\207'\0\336)\203?@Y\377\370`_ \314\305\201z\7y\33\307\352/", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \24\363\240\306\2519\1\3\330\303\207\201R> L\264\3\340\307y(\12\35\3303\2449.I\275(\0b\220\7\363P\315\36E\311\342\303X\377\350C\360\31\317\352\0\212q\5\214'\234\364t\360n\1*\226ZA\351g^\345\230;@4\31 w\26\343\230\221\177\372\0\3061,/\210\374z\3q0\0)93\14~\34\206\236\0\205\116\316\361\215C\224\11\25\307\251\336\1\0f\345R\2000\265\260\327V\3357\225 8D\211S@\0\2375';\203 \261\243x\7\17/\370\17\266\300\226]_\372V\7k\343\27\21\347`\242\326\275\15=\377(\0\224z}\273<\205\370KW\7l\326\361\2456\2604c\17\317\63\236\300\226\322G\373\363\0\12\254/\13\326\240\14\217>*\256\5\274\6\336s\300Z\317\265H\1\330\201\207g:\16\301*\260\311\262\344\263\0\204\353T\227W\361\207'\0\336)\203?@Y\377\370`_ \314\305\201z\7y\33\307\352/", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02553   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\2460I\205\34\14\2\257\202P\215\11\363\235\260(\0H\250\201\375\4x\30\0\376\346y\367\303\255\366*H\7\24$&\10\240\266\0\231\240\302\11\311`E\360\35 \212L0qx\325\227\5\30\6\203\207\340h\267\0\336\323\355\216\356)"-\0\34\36325 \330\332`\0/\26U\254\260\372\204\3424\227\337\350\3\254\216\232\32\236\240\0Ka\273\355\6\346\250"\11\27\315\227Q*\204P\304\341\300\223y\300\371|\324c\11\221f\331\210\302\305\275\0\341\33\330\12&\361\32\237\1,\206\235\26\216\353- \320\254\05\335\20\360yX\322<\0\255 ;\277_\11(8\307x\177+/\240\35V\351\204\253\4F\306f|\37\200\204\215C\256\3Y\235)\330\231+\249\326\347X\3\30\25:\7\214\0\350m\300\350\227\206\270\20\360\241\24qP#\370\0\251g\26\352\205\263\366\222\10\10W\252\2\374\1\301(\270\260\350P\204N\11+\11\372\6uQ\214$0\362D\13\250\0\350\344B5*\365\232\377\22u\357\16B4p\24'\0\3026\207\253\4\321\2Vl\216\320 *\373\331\0\31y\255\374\16\26u\1L\356\204\11\246\263\335\2037\333\201\4\20\373\314\264ZqU\335\14\301r\234\0x\336\344Ss=\4P\350\5\5\307MtV\332\0\240-\253>@\2249\276\356\200\274x\324QS|\32\0\26\36~\220?tB`5O\335\260 ,\201\250\320\374\177\0\303E\10:\236\267\266\344\346\355\0\13\376\275i\330\35\301\363\372k\6J\16\370r\312(\1~\342\215\314\35\254\262\340\17b\13)\260|\355\325\0}D\263W\311\0\215s7(B\231Y\32\0\356\276\251\341l\357\277~\0", ) x\325\227\5\30\6\203\207\340h\267\0\336\323\355\216\356) (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\2460I\205\34\14\2\257\202P\215\11\363\235\260(\0H\250\201\375\4x\30\0\376\346y\367\303\255\366*H\7\24$&\10\240\266\0\231\240\302\11\311`E\360\35 \212L0qx\325\227\5\30\6\203\207\340h\267\0\336\323\355\216\356)"-\0\34\36325 \330\332`\0/\26U\254\260\372\204\3424\227\337\350\3\254\216\232\32\236\240\0Ka\273\355\6\346\250"\11\27\315\227Q*\204P\304\341\300\223y\300\371|\324c\11\221f\331\210\302\305\275\0\341\33\330\12&\361\32\237\1,\206\235\26\216\353- \320\254\05\335\20\360yX\322<\0\255 ;\277_\11(8\307x\177+/\240\35V\351\204\253\4F\306f|\37\200\204\215C\256\3Y\235)\330\231+\249\326\347X\3\30\25:\7\214\0\350m\300\350\227\206\270\20\360\241\24qP#\370\0\251g\26\352\205\263\366\222\10\10W\252\2\374\1\301(\270\260\350P\204N\11+\11\372\6uQ\214$0\362D\13\250\0\350\344B5*\365\232\377\22u\357\16B4p\24'\0\3026\207\253\4\321\2Vl\216\320 *\373\331\0\31y\255\374\16\26u\1L\356\204\11\246\263\335\2037\333\201\4\20\373\314\264ZqU\335\14\301r\234\0x\336\344Ss=\4P\350\5\5\307MtV\332\0\240-\253>@\2249\276\356\200\274x\324QS|\32\0\26\36~\220?tB`5O\335\260 ,\201\250\320\374\177\0\303E\10:\236\267\266\344\346\355\0\13\376\275i\330\35\301\363\372k\6J\16\370r\312(\1~\342\215\314\35\254\262\340\17b\13)\260|\355\325\0}D\263W\311\0\215s7(B\231Y\32\0\356\276\251\341l\357\277~\0", ) \11\27\315\227Q*\204P\304\341\300\223y\300\371|\324c\11\221f\331\210\302\305\275\0\341\33\330\12&\361\32\237\1,\206\235\26\216\353- \320\254\05\335\20\360yX\322<\0\255 ;\277_\11(8\307x\177+/\240\35V\351\204\253\4F\306f|\37\200\204\215C\256\3Y\235)\330\231+\249\326\347X\3\30\25:\7\214\0\350m\300\350\227\206\270\20\360\241\24qP#\370\0\251g\26\352\205\263\366\222\10\10W\252\2\374\1\301(\270\260\350P\204N\11+\11\372\6uQ\214$0\362D\13\250\0\350\344B5*\365\232\377\22u\357\16B4p\24'\0\3026\207\253\4\321\2Vl\216\320 *\373\331\0\31y\255\374\16\26u\1L\356\204\11\246\263\335\2037\333\201\4\20\373\314\264ZqU\335\14\301r\234\0x\336\344Ss=\4P\350\5\5\307MtV\332\0\240-\253>@\2249\276\356\200\274x\324QS|\32\0\26\36~\220?tB`5O\335\260 ,\201\250\320\374\177\0\303E\10:\236\267\266\344\346\355\0\13\376\275i\330\35\301\363\372k\6J\16\370r\312(\1~\342\215\314\35\254\262\340\17b\13)\260|\355\325\0}D\263W\311\0\215s7(B\231Y\32\0\356\276\251\341l\357\277~\0", ) == 0x0
 02554   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\2460I\205\34\14\2\257\202P\215\11\363\235\260(\0H\250\201\375\4x\30\0\376\346y\367\303\255\366*H\7\24$&\10\240\266\0\231\240\302\11\311`E\360\35 \212L0qx\325\227\5\30\6\203\207\340h\267\0\336\323\355\216\356)"-\0\34\36325 \330\332`\0/\26U\254\260\372\204\3424\227\337\350\3\254\216\232\32\236\240\0Ka\273\355\6\346\250"\11\27\315\227Q*\204P\304\341\300\223y\300\371|\324c\11\221f\331\210\302\305\275\0\341\33\330\12&\361\32\237\1,\206\235\26\216\353- \320\254\05\335\20\360yX\322<\0\255 ;\277_\11(8\307x\177+/\240\35V\351\204\253\4F\306f|\37\200\204\215C\256\3Y\235)\330\231+\249\326\347X\3\30\25:\7\214\0\350m\300\350\227\206\270\20\360\241\24qP#\370\0\251g\26\352\205\263\366\222\10\10W\252\2\374\1\301(\270\260\350P\204N\11+\11\372\6uQ\214$0\362D\13\250\0\350\344B5*\365\232\377\22u\357\16B4p\24'\0\3026\207\253\4\321\2Vl\216\320 *\373\331\0\31y\255\374\16\26u\1L\356\204\11\246\263\335\2037\333\201\4\20\373\314\264ZqU\335\14\301r\234\0x\336\344Ss=\4P\350\5\5\307MtV\332\0\240-\253>@\2249\276\356\200\274x\324QS|\32\0\26\36~\220?tB`5O\335\260 ,\201\250\320\374\177\0\303E\10:\236\267\266\344\346\355\0\13\376\275i\330\35\301\363\372k\6J\16\370r\312(\1~\342\215\314\35\254\262\340\17b\13)\260|\355\325\0}D\263W\311\0\215s7(B\231Y\32\0\356\276\251\341l\357\277~\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) x\325\227\5\30\6\203\207\340h\267\0\336\323\355\216\356) (476, 0, 0, 0, "\2460I\205\34\14\2\257\202P\215\11\363\235\260(\0H\250\201\375\4x\30\0\376\346y\367\303\255\366*H\7\24$&\10\240\266\0\231\240\302\11\311`E\360\35 \212L0qx\325\227\5\30\6\203\207\340h\267\0\336\323\355\216\356)"-\0\34\36325 \330\332`\0/\26U\254\260\372\204\3424\227\337\350\3\254\216\232\32\236\240\0Ka\273\355\6\346\250"\11\27\315\227Q*\204P\304\341\300\223y\300\371|\324c\11\221f\331\210\302\305\275\0\341\33\330\12&\361\32\237\1,\206\235\26\216\353- \320\254\05\335\20\360yX\322<\0\255 ;\277_\11(8\307x\177+/\240\35V\351\204\253\4F\306f|\37\200\204\215C\256\3Y\235)\330\231+\249\326\347X\3\30\25:\7\214\0\350m\300\350\227\206\270\20\360\241\24qP#\370\0\251g\26\352\205\263\366\222\10\10W\252\2\374\1\301(\270\260\350P\204N\11+\11\372\6uQ\214$0\362D\13\250\0\350\344B5*\365\232\377\22u\357\16B4p\24'\0\3026\207\253\4\321\2Vl\216\320 *\373\331\0\31y\255\374\16\26u\1L\356\204\11\246\263\335\2037\333\201\4\20\373\314\264ZqU\335\14\301r\234\0x\336\344Ss=\4P\350\5\5\307MtV\332\0\240-\253>@\2249\276\356\200\274x\324QS|\32\0\26\36~\220?tB`5O\335\260 ,\201\250\320\374\177\0\303E\10:\236\267\266\344\346\355\0\13\376\275i\330\35\301\363\372k\6J\16\370r\312(\1~\342\215\314\35\254\262\340\17b\13)\260|\355\325\0}D\263W\311\0\215s7(B\231Y\32\0\356\276\251\341l\357\277~\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \11\27\315\227Q*\204P\304\341\300\223y\300\371|\324c\11\221f\331\210\302\305\275\0\341\33\330\12&\361\32\237\1,\206\235\26\216\353- \320\254\05\335\20\360yX\322<\0\255 ;\277_\11(8\307x\177+/\240\35V\351\204\253\4F\306f|\37\200\204\215C\256\3Y\235)\330\231+\249\326\347X\3\30\25:\7\214\0\350m\300\350\227\206\270\20\360\241\24qP#\370\0\251g\26\352\205\263\366\222\10\10W\252\2\374\1\301(\270\260\350P\204N\11+\11\372\6uQ\214$0\362D\13\250\0\350\344B5*\365\232\377\22u\357\16B4p\24'\0\3026\207\253\4\321\2Vl\216\320 *\373\331\0\31y\255\374\16\26u\1L\356\204\11\246\263\335\2037\333\201\4\20\373\314\264ZqU\335\14\301r\234\0x\336\344Ss=\4P\350\5\5\307MtV\332\0\240-\253>@\2249\276\356\200\274x\324QS|\32\0\26\36~\220?tB`5O\335\260 ,\201\250\320\374\177\0\303E\10:\236\267\266\344\346\355\0\13\376\275i\330\35\301\363\372k\6J\16\370r\312(\1~\342\215\314\35\254\262\340\17b\13)\260|\355\325\0}D\263W\311\0\215s7(B\231Y\32\0\356\276\251\341l\357\277~\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02555   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=24064},  (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=24064}, "\222\213\214\362n\0\311\341\262>\272\300\24\216\0:A0'\11\256\205\247\16\226O\231\377\304\32\245\200|\13\265#\0N~\33\254\233\301\204\353Xx\20\0\10\367Kj\346\15\351\0\365\2306/\221G\246\2\09\213+w&\3z\34\0"N\275\363\356'h\360\0\2203\221*nHr\213\2\211\37\376@\1\5\340\312\256#\0\331]y\357\303\253g\300\0\217*[O\200\376=\236\354v>b\344\207\3635\340\371\320\373\264\314\376\0\37\2\346\317\320\234\257R\270\362\1\206\306\230B\300"\352\201\320Y\331\275`\372\360(\277\0\353\25_\326\10F\210\237\27\36\7*@\214D\321a4\204\354\22p\326\22\253\345\3139\246X\200&\367\341\202\0\353'\355\qP\11O\263\26\27+\273\0\360\223\276\37l\16\333\377\371g\200[\374\323=\354\5\22w\335\255\315\320\10\10B\205\0\343\35\243\327\300\34\241\277=\3626\12\11\13\334\2000\20\240\224{r\265\0q\203S\216\273\36\2065\17\212\363\6\343\222@\320\202A?\345y\0\334\367(7\342\265Z\370\1\243v\247\272c6\347\330\337B\0+:\343\266g\360]x\2\245\267b5\332v@\4\234\3008\324\13\27)Q@\314L\363x\361\273\16\251\264\342q.\11\215< \370Y\311\360Gd\12\21I\0S\320\3104\371\305 \2662\7(5!\231\0\260\36\325\322\316t\251\16r\6v\266\205q\354\3\256=$p\320\2TG\7\335\15\236\266\235\320\220\343\347\314\7\14\20\317\30\313\300\245\24\203*|\253|\4\0C\252\31\316\351Ut\234\312\270pD@\252\331\325\303\22\314\3515@\370\216y\\34\234\0\36\242\332@0\345\366\255\7\321R\250\352m`\215\37\306,\3\236I\3731r\216\351P\32\316@\3070\20=\7H\7\214\306a,", ) N\275\363\356'h\360\0\2203\221*nHr\213\2\211\37\376@\1\5\340\312\256#\0\331]y\357\303\253g\300\0\217*[O\200\376=\236\354v>b\344\207\3635\340\371\320\373\264\314\376\0\37\2\346\317\320\234\257R\270\362\1\206\306\230B\300 (480, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=24064}, "\222\213\214\362n\0\311\341\262>\272\300\24\216\0:A0'\11\256\205\247\16\226O\231\377\304\32\245\200|\13\265#\0N~\33\254\233\301\204\353Xx\20\0\10\367Kj\346\15\351\0\365\2306/\221G\246\2\09\213+w&\3z\34\0"N\275\363\356'h\360\0\2203\221*nHr\213\2\211\37\376@\1\5\340\312\256#\0\331]y\357\303\253g\300\0\217*[O\200\376=\236\354v>b\344\207\3635\340\371\320\373\264\314\376\0\37\2\346\317\320\234\257R\270\362\1\206\306\230B\300"\352\201\320Y\331\275`\372\360(\277\0\353\25_\326\10F\210\237\27\36\7*@\214D\321a4\204\354\22p\326\22\253\345\3139\246X\200&\367\341\202\0\353'\355\qP\11O\263\26\27+\273\0\360\223\276\37l\16\333\377\371g\200[\374\323=\354\5\22w\335\255\315\320\10\10B\205\0\343\35\243\327\300\34\241\277=\3626\12\11\13\334\2000\20\240\224{r\265\0q\203S\216\273\36\2065\17\212\363\6\343\222@\320\202A?\345y\0\334\367(7\342\265Z\370\1\243v\247\272c6\347\330\337B\0+:\343\266g\360]x\2\245\267b5\332v@\4\234\3008\324\13\27)Q@\314L\363x\361\273\16\251\264\342q.\11\215< \370Y\311\360Gd\12\21I\0S\320\3104\371\305 \2662\7(5!\231\0\260\36\325\322\316t\251\16r\6v\266\205q\354\3\256=$p\320\2TG\7\335\15\236\266\235\320\220\343\347\314\7\14\20\317\30\313\300\245\24\203*|\253|\4\0C\252\31\316\351Ut\234\312\270pD@\252\331\325\303\22\314\3515@\370\216y\\34\234\0\36\242\332@0\345\366\255\7\321R\250\352m`\215\37\306,\3\236I\3731r\216\351P\32\316@\3070\20=\7H\7\214\306a,", ) , ) == 0x0
 02556   420   NtWriteFile  (476, 0, 0, 0,  (476, 0, 0, 0, "\222\213\214\362n\0\311\341\262>\272\300\24\216\0:A0'\11\256\205\247\16\226O\231\377\304\32\245\200|\13\265#\0N~\33\254\233\301\204\353Xx\20\0\10\367Kj\346\15\351\0\365\2306/\221G\246\2\09\213+w&\3z\34\0"N\275\363\356'h\360\0\2203\221*nHr\213\2\211\37\376@\1\5\340\312\256#\0\331]y\357\303\253g\300\0\217*[O\200\376=\236\354v>b\344\207\3635\340\371\320\373\264\314\376\0\37\2\346\317\320\234\257R\270\362\1\206\306\230B\300"\352\201\320Y\331\275`\372\360(\277\0\353\25_\326\10F\210\237\27\36\7*@\214D\321a4\204\354\22p\326\22\253\345\3139\246X\200&\367\341\202\0\353'\355\qP\11O\263\26\27+\273\0\360\223\276\37l\16\333\377\371g\200[\374\323=\354\5\22w\335\255\315\320\10\10B\205\0\343\35\243\327\300\34\241\277=\3626\12\11\13\334\2000\20\240\224{r\265\0q\203S\216\273\36\2065\17\212\363\6\343\222@\320\202A?\345y\0\334\367(7\342\265Z\370\1\243v\247\272c6\347\330\337B\0+:\343\266g\360]x\2\245\267b5\332v@\4\234\3008\324\13\27)Q@\314L\363x\361\273\16\251\264\342q.\11\215< \370Y\311\360Gd\12\21I\0S\320\3104\371\305 \2662\7(5!\231\0\260\36\325\322\316t\251\16r\6v\266\205q\354\3\256=$p\320\2TG\7\335\15\236\266\235\320\220\343\347\314\7\14\20\317\30\313\300\245\24\203*|\253|\4\0C\252\31\316\351Ut\234\312\270pD@\252\331\325\303\22\314\3515@\370\216y\\34\234\0\36\242\332@0\345\366\255\7\321R\250\352m`\215\37\306,\3\236I\3731r\216\351P\32\316@\3070\20=\7H\7\214\306a,", 24064, 0x0, 0, ... {status=0x0, info=24064}, ) N\275\363\356'h\360\0\2203\221*nHr\213\2\211\37\376@\1\5\340\312\256#\0\331]y\357\303\253g\300\0\217*[O\200\376=\236\354v>b\344\207\3635\340\371\320\373\264\314\376\0\37\2\346\317\320\234\257R\270\362\1\206\306\230B\300 (476, 0, 0, 0, "\222\213\214\362n\0\311\341\262>\272\300\24\216\0:A0'\11\256\205\247\16\226O\231\377\304\32\245\200|\13\265#\0N~\33\254\233\301\204\353Xx\20\0\10\367Kj\346\15\351\0\365\2306/\221G\246\2\09\213+w&\3z\34\0"N\275\363\356'h\360\0\2203\221*nHr\213\2\211\37\376@\1\5\340\312\256#\0\331]y\357\303\253g\300\0\217*[O\200\376=\236\354v>b\344\207\3635\340\371\320\373\264\314\376\0\37\2\346\317\320\234\257R\270\362\1\206\306\230B\300"\352\201\320Y\331\275`\372\360(\277\0\353\25_\326\10F\210\237\27\36\7*@\214D\321a4\204\354\22p\326\22\253\345\3139\246X\200&\367\341\202\0\353'\355\qP\11O\263\26\27+\273\0\360\223\276\37l\16\333\377\371g\200[\374\323=\354\5\22w\335\255\315\320\10\10B\205\0\343\35\243\327\300\34\241\277=\3626\12\11\13\334\2000\20\240\224{r\265\0q\203S\216\273\36\2065\17\212\363\6\343\222@\320\202A?\345y\0\334\367(7\342\265Z\370\1\243v\247\272c6\347\330\337B\0+:\343\266g\360]x\2\245\267b5\332v@\4\234\3008\324\13\27)Q@\314L\363x\361\273\16\251\264\342q.\11\215< \370Y\311\360Gd\12\21I\0S\320\3104\371\305 \2662\7(5!\231\0\260\36\325\322\316t\251\16r\6v\266\205q\354\3\256=$p\320\2TG\7\335\15\236\266\235\320\220\343\347\314\7\14\20\317\30\313\300\245\24\203*|\253|\4\0C\252\31\316\351Ut\234\312\270pD@\252\331\325\303\22\314\3515@\370\216y\\34\234\0\36\242\332@0\345\366\255\7\321R\250\352m`\215\37\306,\3\236I\3731r\216\351P\32\316@\3070\20=\7H\7\214\306a,", 24064, 0x0, 0, ... {status=0x0, info=24064}, ) , 24064, 0x0, 0, ... {status=0x0, info=24064}, ) == 0x0
 02557   420   NtReadFile  (480, 0, 0, 0, 61440, 0x0, 0, ... ) == STATUS_END_OF_FILE
 02558   420   NtFreeVirtualMemory  (-1, (0x154000), 69632, 16384, ... (0x154000), 69632, ) == 0x0
 02559   420   NtSetInformationFile  (476, 1242904, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02560   420   NtClose  (480, ... ) == 0x0
 02561   420   NtClose  (476, ... ) == 0x0
 02562   420   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 476, ) }, ... 476, ) == 0x0
 02563   420   NtQueryValueKey  (476,  (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 02564   420   NtQueryValueKey  (476,  (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (476, "Shell", Partial, 144, ... TitleIdx=0, Type=1, Data="E\0x\0p\0l\0o\0r\0e\0r\0.\0e\0x\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 02565   420   NtClose  (476, ... ) == 0x0
 02566   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242812,  (0x80100080, {24, 0, 0x40, 0, 1242812, "\??\C:\WINDOWSExplorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02567   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\regent.exe"}, 7, 2113568, ... 476, {status=0x0, info=1}, ) }, 7, 2113568, ... 476, {status=0x0, info=1}, ) == 0x0
 02568   420   NtSetInformationFile  (476, 1243104, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02569   420   NtClose  (476, ... ) == 0x0
 02570   420   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02571   420   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02572   420   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 02573   420   NtAllocateVirtualMemory  (-1, 1208320, 0, 4096, 4096, 260, ... 1208320, 4096, ) == 0x0
 02574   420   NtAllocateVirtualMemory  (-1, 1204224, 0, 4096, 4096, 260, ... 1204224, 4096, ) == 0x0
 02575   420   NtAllocateVirtualMemory  (-1, 1200128, 0, 4096, 4096, 260, ... 1200128, 4096, ) == 0x0
 02576   420   NtAllocateVirtualMemory  (-1, 1196032, 0, 4096, 4096, 260, ... 1196032, 4096, ) == 0x0
 02577   420   NtAllocateVirtualMemory  (-1, 1191936, 0, 4096, 4096, 260, ... 1191936, 4096, ) == 0x0
 02578   420   NtAllocateVirtualMemory  (-1, 1187840, 0, 4096, 4096, 260, ... 1187840, 4096, ) == 0x0
 02579   420   NtAllocateVirtualMemory  (-1, 1183744, 0, 4096, 4096, 260, ... 1183744, 4096, ) == 0x0
 02580   420   NtAllocateVirtualMemory  (-1, 1179648, 0, 4096, 4096, 260, ... 1179648, 4096, ) == 0x0
 02581   420   NtAllocateVirtualMemory  (-1, 1175552, 0, 4096, 4096, 260, ... 1175552, 4096, ) == 0x0
 02582   420   NtAllocateVirtualMemory  (-1, 1171456, 0, 4096, 4096, 260, ... 1171456, 4096, ) == 0x0
 02583   420   NtCreateKey  (0x20006, {24, 48, 0x40, 0, 0,  (0x20006, {24, 48, 0x40, 0, 0, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions"}, 0, 0x0, 0, ... ) }, 0, 0x0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584   420   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE"}, 0, 0x0, 0, ... 476, 2, ) }, 0, 0x0, 0, ... 476, 2, ) == 0x0
 02585   420   NtCreateKey  (0x2000000, {24, 476, 0x40, 0, 0,  (0x2000000, {24, 476, 0x40, 0, 0, "Microsoft"}, 0, 0x0, 0, ... 480, 2, ) }, 0, 0x0, 0, ... 480, 2, ) == 0x0
 02586   420   NtClose  (476, ... ) == 0x0
 02587   420   NtCreateKey  (0x2000000, {24, 480, 0x40, 0, 0,  (0x2000000, {24, 480, 0x40, 0, 0, "Windows"}, 0, 0x0, 0, ... 476, 2, ) }, 0, 0x0, 0, ... 476, 2, ) == 0x0
 02588   420   NtClose  (480, ... ) == 0x0
 02589   420   NtCreateKey  (0x2000000, {24, 476, 0x40, 0, 0,  (0x2000000, {24, 476, 0x40, 0, 0, "CurrentVersion"}, 0, 0x0, 0, ... 480, 2, ) }, 0, 0x0, 0, ... 480, 2, ) == 0x0
 02590   420   NtClose  (476, ... ) == 0x0
 02591   420   NtCreateKey  (0x20006, {24, 480, 0x40, 0, 0,  (0x20006, {24, 480, 0x40, 0, 0, "Shell Extensions"}, 0, 0x0, 0, ... 476, 2, ) }, 0, 0x0, 0, ... 476, 2, ) == 0x0
 02592   420   NtClose  (480, ... ) == 0x0
 02593   420   NtSetValueKey  (476,  (476, "12", 0, 1, "u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0", 38, ... , 0, 1,  (476, "12", 0, 1, "u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0", 38, ... , 38, ...
 02594   420   NtSetInformationFile  (-2147482808, -128866508, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02595   420   NtSetInformationFile  (-2147482808, -128866908, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02593   420   NtSetValueKey  ... ) == 0x0
 02596   420   NtClose  (476, ... ) == 0x0
 02597   420   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Kazaa\LocalContent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02598   420   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 476, ) }, ... 476, ) == 0x0
 02599   420   NtWaitForSingleObject  (476, 0, {-1800000000, -1}, ... ) == 0x0
 02600   420   NtClose  (476, ... ) == 0x0
 02601   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02602   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02603   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 476, ) }, ... 476, ) == 0x0
 02604   420   NtQueryValueKey  (476,  (476, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02605   420   NtClose  (476, ... ) == 0x0
 02606   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02607   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 476, ) == 0x0
 02608   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 480, ) == 0x0
 02609   420   NtQuerySystemTime  (... {-208037652, 29873111}, ) == 0x0
 02610   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 484, ) == 0x0
 02611   420   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02612   420   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02613   420   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02614   420   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02615   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 488, ) == 0x0
 02616   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 492, ) == 0x0
 02617   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 496, ) }, ... 496, ) == 0x0
 02618   420   NtOpenKey  (0x20019, {24, 496, 0x40, 0, 0,  (0x20019, {24, 496, 0x40, 0, 0, "ActiveComputerName"}, ... 500, ) }, ... 500, ) == 0x0
 02619   420   NtQueryValueKey  (500,  (500, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (500, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (500, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02620   420   NtClose  (500, ... ) == 0x0
 02621   420   NtClose  (496, ... ) == 0x0
 02622   420   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 496, ) == 0x0
 02623   420   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 500, ) == 0x0
 02624   420   NtDuplicateObject  (-1, 496, -1, 0x0, 0, 2, ... 504, ) == 0x0
 02625   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02626   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 508, ) == 0x0
 02627   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02628   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02629   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242088,  (0xc0100080, {24, 0, 0x40, 0, 1242088, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 512, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 512, {status=0x0, info=1}, ) == 0x0
 02630   420   NtSetInformationFile  (512, 1242144, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02631   420   NtSetInformationFile  (512, 1242136, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02632   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02633   420   NtWriteFile  (512, 489, 0, 0,  (512, 489, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02634   420   NtReadFile  (512, 489, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (512, 489, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02635   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\2\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\2\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02636   420   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02637   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\300\0\0\0\2\0\0\0\250\0\0\0\0\0\30\0\0\0\0\0W`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0i\11E0\245A\0\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0\203\242\26\377\1\17\0\20\1\0\0\2\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\30\0\0\0"C:\WINDOWS\regent.exe"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 192, 1024, ... {status=0x103, info=48}, "\374\365\223\220\274\221\303|\0G\262\305\273\321\245q\354z%\0\301\20\313\336B\361\244\225\0\327U\303\324\330g]\267\354\301\34\11Y\367\205<\331\337\242", ) C:\WINDOWS\regent.exe (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\300\0\0\0\2\0\0\0\250\0\0\0\0\0\30\0\0\0\0\0W`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0i\11E0\245A\0\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0\203\242\26\377\1\17\0\20\1\0\0\2\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\30\0\0\0"C:\WINDOWS\regent.exe"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 192, 1024, ... {status=0x103, info=48}, "\374\365\223\220\274\221\303|\0G\262\305\273\321\245q\354z%\0\301\20\313\336B\361\244\225\0\327U\303\324\330g]\267\354\301\34\11Y\367\205<\331\337\242", ) , 192, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\300\0\0\0\2\0\0\0\250\0\0\0\0\0\30\0\0\0\0\0W`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0i\11E0\245A\0\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0\203\242\26\377\1\17\0\20\1\0\0\2\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\30\0\0\0"C:\WINDOWS\regent.exe"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 192, 1024, ... {status=0x103, info=48}, "\374\365\223\220\274\221\303|\0G\262\305\273\321\245q\354z%\0\301\20\313\336B\361\244\225\0\327U\303\324\330g]\267\354\301\34\11Y\367\205<\331\337\242", ) , ) == 0x103
 02638   420   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02639   420   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 516, ) }, ... 516, ) == 0x0
 02640   420   NtWaitForSingleObject  (516, 0, {-1800000000, -1}, ... ) == 0x0
 02641   420   NtClose  (516, ... ) == 0x0
 02642   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02643   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\3\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 36, 1024, ... {status=0x103, info=52},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\3\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02644   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\4\0\0\08\0\0\0\0\0\34\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0{\237\300\377\1\17\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\4\0\0\08\0\0\0\0\0\34\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0{\237\300\377\1\17\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02645   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\3\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\3\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02646   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\6\0\0\08\0\0\0\0\0\34\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0{\237\300\2\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\6\0\0\08\0\0\0\0\0\34\0\0\0\0\0Y`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0{\237\300\2\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02647   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0X\0\0\0\7\0\0\0@\0\0\0\0\0$\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305\2\0\0\0\2\0\0\00\372\22\0\12\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0D\372\22\0\1\0\0\0\1\0\0\0\270\13\0\0", 88, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\6\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 88, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0X\0\0\0\7\0\0\0@\0\0\0\0\0$\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305\2\0\0\0\2\0\0\00\372\22\0\12\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0D\372\22\0\1\0\0\0\1\0\0\0\270\13\0\0", 88, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\6\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02648   420   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02649   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0Y\0\0\0\10\0\0\0A\0\0\0\0\0$\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0T\372\22\0D\245A\0\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0", 89, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\7\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 89, 1024, ... {status=0x103, info=28},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0Y\0\0\0\10\0\0\0A\0\0\0\0\0$\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0T\372\22\0D\245A\0\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0", 89, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\7\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02650   420   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02651   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\11\0\0\0\24\0\0\0\0\0\10\0\0\0\0\0[`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\10\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=28},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\11\0\0\0\24\0\0\0\0\0\10\0\0\0\0\0[`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\10\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02652   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\12\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\11\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\12\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0Z`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\11\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02653   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\13\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\12\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\13\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\12\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02654   420   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 516, ) }, ... 516, ) == 0x0
 02655   420   NtWaitForSingleObject  (516, 0, {-1800000000, -1}, ... ) == 0x0
 02656   420   NtClose  (516, ... ) == 0x0
 02657   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02658   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\14\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\13\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 36, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\14\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\13\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02659   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\15\0\0\08\0\0\0\0\0\34\0\0\0\0\0]`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0egi\377\1\17\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\14\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0]`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\15\0\0\08\0\0\0\0\0\34\0\0\0\0\0]`\245,\313?\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0Register Manager\0egi\377\1\17\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\14\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0]`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02660   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\16\0\0\0\34\0\0\0\0\0\37\0\0\0\0\0^`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\15\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0^`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\16\0\0\0\34\0\0\0\0\0\37\0\0\0\0\0^`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\15\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0^`\245,\313?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02661   420   NtWaitForSingleObject  (489, 0, 0x0, ... ) == 0x0
 02662   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\17\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0]`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\16\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=28},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\17\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0]`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\16\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02663   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\20\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0^`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\17\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\20\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0^`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\17\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02664   420   NtFsControlFile  (512, 489, 0x0, 0x0, 0x11c017,  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\21\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\20\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (512, 489, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\21\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X`\245,\313?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\20\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02665   420   NtRaiseException  (1242540, 1241800, 1, ...
 02666   420   NtContinue  (1240604, 0, ...
 02667   420   NtTerminateProcess  (0, 1, ...
 00677   568   NtDelayExecution  ... ) == 0xc0
 00678   588   NtDelayExecution  ... ) == 0xc0
 00684   572   NtDelayExecution  ... ) == 0xc0
 00680   580   NtDelayExecution  ... ) == 0xc0
 00681   584   NtDelayExecution  ... ) == 0xc0
 00682   576   NtDelayExecution  ... ) == 0xc0
 00683   596   NtDelayExecution  ... ) == 0xc0
 00424   636   NtDelayExecution  ... ) == 0xc0
 00910   728   NtWaitForSingleObject  ... ) == 0xc0
 00965   736   NtWaitForSingleObject  ... ) == 0xc0
 00885   676   NtWaitForSingleObject  ... ) == 0xc0
 00979   796   NtWaitForSingleObject  ... ) == 0xc0
 00837   792   NtWaitForSingleObject  ... ) == 0xc0
 00869   712   NtWaitForSingleObject  ... ) == 0xc0
 00861   840   NtWaitForSingleObject  ... ) == 0xc0
 00975   860   NtWaitForSingleObject  ... ) == 0xc0
 00849   864   NtWaitForSingleObject  ... ) == 0xc0
 00559   868   NtWaitForSingleObject  ... ) == 0xc0
 00989   872   NtWaitForSingleObject  ... ) == 0xc0
 00829   876   NtWaitForSingleObject  ... ) == 0xc0
 00889   880   NtWaitForSingleObject  ... ) == 0xc0
 00841   884   NtWaitForSingleObject  ... ) == 0xc0
 00985   888   NtWaitForSingleObject  ... ) == 0xc0
 00631   892   NtWaitForSingleObject  ... ) == 0xc0
 00904   896   NtDelayExecution  ... ) == 0xc0
 02667   420   NtTerminateProcess  ... ) == 0x0
 02668   420   NtFreeVirtualMemory  (-1, (0x2760000), 0, 32768, ... (0x2760000), 65536, ) == 0x0
 02669   420   NtClose  (420, ... ) == 0x0
 02670   420   NtClose  (424, ... ) == 0x0
 02671   420   NtClose  (432, ... ) == 0x0
 02672   420   NtClose  (428, ... ) == 0x0
 02673   420   NtClose  (436, ... ) == 0x0
 02674   420   NtClose  (408, ... ) == 0x0
 02675   420   NtClose  (416, ... ) == 0x0
 02676   420   NtClose  (452, ... ) == 0x0
 02677   420   NtClose  (448, ... ) == 0x0
 02678   420   NtClose  (444, ... ) == 0x0
 02679   420   NtClose  (440, ... ) == 0x0
 02680   420   NtClose  (412, ... ) == 0x0
 02681   420   NtClose  (388, ... ) == 0x0
 02682   420   NtClose  (396, ... ) == 0x0
 02683   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02684   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02685   420   NtClose  (392, ... ) == 0x0
 02686   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02687   420   NtWaitForMultipleObjects  (2, (364, 368, ), 1, 0, 0x0, ... ) == 0x1
 02688   420   NtClose  (368, ... ) == 0x0
 02689   420   NtSetEvent  (364, ... 0x0, ) == 0x0
 02690   420   NtClose  (364, ... ) == 0x0
 02691   420   NtWaitForMultipleObjects  (2, (372, 376, ), 1, 0, 0x0, ... ) == 0x1
 02692   420   NtClose  (376, ... ) == 0x0
 02693   420   NtSetEvent  (372, ... 0x0, ) == 0x0
 02694   420   NtClose  (372, ... ) == 0x0
 02695   420   NtWaitForMultipleObjects  (2, (380, 384, ), 1, 0, 0x0, ... ) == 0x1
 02696   420   NtClose  (384, ... ) == 0x0
 02697   420   NtSetEvent  (380, ... 0x0, ) == 0x0
 02698   420   NtClose  (380, ... ) == 0x0
 02699   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02700   420   NtFreeVirtualMemory  (-1, (0x2550000), 0, 32768, ... (0x2550000), 262144, ) == 0x0
 02701   420   NtUserUnregisterClass  (1243440, 1991376896, 1243428, ... ) == 0x0
 02702   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02703   420   NtClose  (296, ... ) == 0x0
 02704   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02705   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02706   420   NtClose  (256, ... ) == 0x0
 02707   420   NtClose  (264, ... ) == 0x0
 02708   420   NtClose  (268, ... ) == 0x0
 02709   420   NtClose  (260, ... ) == 0x0
 02710   420   NtClose  (252, ... ) == 0x0
 02711   420   NtWaitForSingleObject  (312, 0, 0x0, ... ) == 0x0
 02712   420   NtClearEvent  (312, ... ) == 0x0
 02713   420   NtSetEvent  (312, ... 0x0, ) == 0x0
 02714   420   NtClose  (312, ... ) == 0x0
 02715   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02716   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02717   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02718   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02719   420   NtClose  (76, ... ) == 0x0
 02720   420   NtClose  (68, ... ) == 0x0
 02721   420   NtClose  (64, ... ) == 0x0
 02722   420   NtClose  (72, ... ) == 0x0
 02723   420   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x0,}, 4, ... ) == 0x0
 02724   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc03b
 02725   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02726   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc03d
 02727   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02728   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc03f
 02729   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02730   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc041
 02731   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02732   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc043
 02733   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02734   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc045
 02735   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02736   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc047
 02737   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02738   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc049
 02739   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02740   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc04b
 02741   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02742   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc04d
 02743   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02744   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc04f
 02745   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02746   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc051
 02747   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02748   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc053
 02749   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02750   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc057
 02751   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02752   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc059
 02753   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02754   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc05b
 02755   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02756   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc05d
 02757   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02758   420   NtUserGetClassInfo  (1999896576, 1243528, 1243480, 1243556, 0, ... ) == 0xc05f
 02759   420   NtUserUnregisterClass  (1243532, 1999896576, 1243520, ... ) == 0x1
 02760   420   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02761   420   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2013032352, 2012568799, 1379990, 1379976}  (24, {20, 48, new_msg, 0, 2013032352, 2012568799, 1379990, 1379976} "\0\0\0\0\3\0\1\0\315\224s\366M>H\351\1\0\0\0" ... {20, 48, reply, 0, 416, 420, 1597, 0} "\0\0\0\0\3\0\1\0\0\0\0\0M>H\351\1\0\0\0" )  ... {20, 48, reply, 0, 416, 420, 1597, 0}  (24, {20, 48, new_msg, 0, 2013032352, 2012568799, 1379990, 1379976} "\0\0\0\0\3\0\1\0\315\224s\366M>H\351\1\0\0\0" ... {20, 48, reply, 0, 416, 420, 1597, 0} "\0\0\0\0\3\0\1\0\0\0\0\0M>H\351\1\0\0\0" )  ) == 0x0
 02762   420   NtTerminateProcess  (-1, 1, ...
 02763   420   NtClose  (40, ... ) == 0x0
NtCallbackReturn(>)	1	NtOpenProcessToken(>)	2	NtOpenProcessTokenEx(>)	10	NtUserRegisterClassExWOW(>)	34
NtConnectPort(>)	1	NtQueryInstallUILanguage(>)	2	NtOpenThreadTokenEx(>)	10	NtContinue(>)	35
NtGdiCreateBitmap(>)	1	NtRaiseException(>)	2	NtWriteFile(>)	10	NtQueryDebugFilterState(>)	36
NtGdiInit(>)	1	NtAddAtom(>)	3	NtQueryVolumeInformationFile(>)	12	NtRequestWaitReplyPort(>)	36
NtGdiQueryFontAssocInfo(>)	1	NtClearEvent(>)	3	NtQueryInformationToken(>)	13	NtQuerySystemInformation(>)	43
NtGdiSelectBitmap(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryDefaultUILanguage(>)	14	NtCreateEvent(>)	45
NtOpenKeyedEvent(>)	1	NtNotifyChangeKey(>)	3	NtReadFile(>)	14	NtSetInformationThread(>)	45
NtOpenProcess(>)	1	NtReleaseSemaphore(>)	3	NtUserFindWindowEx(>)	14	NtFreeVirtualMemory(>)	49
NtOpenSymbolicLinkObject(>)	1	NtSetInformationObject(>)	3	NtCreateKey(>)	15	NtCreateSection(>)	52
NtQueryEvent(>)	1	NtTerminateProcess(>)	3	NtSetValueKey(>)	15	NtQueryVirtualMemory(>)	53
NtQueryObject(>)	1	NtUserGetDC(>)	3	NtSetInformationFile(>)	17	NtUserGetClassInfo(>)	54
NtQuerySymbolicLinkObject(>)	1	NtWaitForMultipleObjects(>)	3	NtFsControlFile(>)	18	NtOpenSection(>)	56
NtQuerySystemTime(>)	1	NtDuplicateObject(>)	4	NtUserUnregisterClass(>)	19	NtOpenFile(>)	74
NtQueryTimerResolution(>)	1	NtEnumerateKey(>)	4	NtQueryInformationFile(>)	20	NtMapViewOfSection(>)	80
NtSecureConnectPort(>)	1	NtGdiGetStockObject(>)	5	NtUserRegisterWindowMessage(>)	22	NtProtectVirtualMemory(>)	82
NtSetInformationProcess(>)	1	NtCreateMutant(>)	6	NtUserFindExistingCursorIcon(>)	24	NtSetEvent(>)	92
NtUserCallNoParam(>)	1	NtDeviceIoControlFile(>)	6	NtCreateThread(>)	25	NtDelayExecution(>)	118
NtUserGetForegroundWindow(>)	1	NtOpenEvent(>)	6	NtFlushInstructionCache(>)	25	NtQueryAttributesFile(>)	118
NtUserGetObjectInformation(>)	1	NtOpenThreadToken(>)	7	NtQueryInformationThread(>)	25	NtWaitForSingleObject(>)	141
NtUserGetProcessWindowStation(>)	1	NtQueryInformationProcess(>)	7	NtResumeThread(>)	25	NtOpenKey(>)	157
NtUserGetThreadDesktop(>)	1	NtUserSystemParametersInfo(>)	7	NtCreateFile(>)	26	NtAllocateVirtualMemory(>)	222
NtUserQueryWindow(>)	1	NtQueryDefaultLocale(>)	9	NtRegisterThreadTerminatePort(>)	26	NtClose(>)	318
NtCreateIoCompletion(>)	2	NtReleaseMutant(>)	9	NtTestAlert(>)	26	NtQueryValueKey(>)	329
NtGdiCreateSolidBrush(>)	2	NtCreateSemaphore(>)	10	NtQuerySection(>)	33
NtOpenDirectoryObject(>)	2	NtOpenMutant(>)	10