Summary:


NtCreateProcessEx(>)  1 
NtGdiHfontCreate(>)  2 
NtSetInformationObject(>)  5 
NtQueryKey(>)  20 

NtDuplicateToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserBuildHwndList(>)  5 
NtQueryDefaultLocale(>)  24 

NtEnumerateValueKey(>)  1 
NtOpenMutant(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtCreateFile(>)  26 

NtFindAtom(>)  1 
NtOpenProcess(>)  2 
NtOpenProcessToken(>)  6 
NtCreateKey(>)  27 

NtGdiCreateBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtWaitForMultipleObjects(>)  6 
NtRequestWaitReplyPort(>)  27 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtEnumerateKey(>)  7 
NtProtectVirtualMemory(>)  28 

NtGdiInit(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtFsControlFile(>)  7 
NtQueryDebugFilterState(>)  30 

NtGdiQueryFontAssocInfo(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenEvent(>)  7 
NtOpenSection(>)  35 

NtGdiSelectBitmap(>)  1 
NtReadVirtualMemory(>)  2 
NtUserCallNoParam(>)  7 
NtUnmapViewOfSection(>)  35 

NtOpenKeyedEvent(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtQueryVolumeInformationFile(>)  8 
NtCreateSection(>)  39 

NtQueryEvent(>)  1 
NtResumeThread(>)  2 
NtUserMessageCall(>)  8 
NtSetInformationFile(>)  40 

NtQueryInformationJobObject(>)  1 
NtTestAlert(>)  2 
NtSetInformationProcess(>)  10 
NtCreateEvent(>)  42 

NtQueryInformationThread(>)  1 
NtUserCloseDesktop(>)  2 
NtUserGetWindowDC(>)  10 
NtUserUnregisterClass(>)  46 

NtQueryObject(>)  1 
NtUserGetObjectInformation(>)  2 
NtUserRegisterWindowMessage(>)  10 
NtOpenProcessTokenEx(>)  47 

NtQueryPerformanceCounter(>)  1 
NtUserRemoveProp(>)  2 
NtQueryDirectoryFile(>)  11 
NtOpenThreadTokenEx(>)  47 

NtQuerySystemTime(>)  1 
NtUserWaitForInputIdle(>)  2 
NtFreeVirtualMemory(>)  12 
NtUserFindExistingCursorIcon(>)  48 

NtSecureConnectPort(>)  1 
NtYieldExecution(>)  2 
NtUserCallOneParam(>)  12 
NtQueryInformationToken(>)  54 

NtUserBuildNameList(>)  1 
NtDeleteValueKey(>)  3 
NtUserSystemParametersInfo(>)  12 
NtOpenFile(>)  60 

NtUserGetAtomName(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtDuplicateObject(>)  13 
NtMapViewOfSection(>)  63 

NtUserGetDC(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtFlushInstructionCache(>)  13 
NtUserRegisterClassExWOW(>)  65 

NtUserGetGUIThreadInfo(>)  1 
NtTerminateProcess(>)  3 
NtReleaseMutant(>)  13 
NtQueryAttributesFile(>)  74 

NtUserGetThreadDesktop(>)  1 
NtUserOpenDesktop(>)  3 
NtDeviceIoControlFile(>)  16 
NtAllocateVirtualMemory(>)  81 

NtUserSetWindowLong(>)  1 
NtCreateMutant(>)  4 
NtNotifyChangeKey(>)  16 
NtQuerySystemInformation(>)  90 

NtAccessCheck(>)  2 
NtNotifyChangeDirectoryFile(>)  4 
NtQueryDefaultUILanguage(>)  16 
NtUserGetClassInfo(>)  98 

NtAddAtom(>)  2 
NtOpenThreadToken(>)  4 
NtSetInformationThread(>)  16 
NtUserQueryWindow(>)  138 

NtCallbackReturn(>)  2 
NtUserCreateWindowEx(>)  4 
NtQuerySection(>)  17 
NtQueryValueKey(>)  179 

NtContinue(>)  2 
NtUserSetProp(>)  4 
NtReadFile(>)  18 
NtOpenKey(>)  287 

NtCreateIoCompletion(>)  2 
NtWriteVirtualMemory(>)  4 
NtQueryInformationFile(>)  19 
NtSetEvent(>)  336 

NtCreateSemaphore(>)  2 
NtConnectPort(>)  5 
NtSetValueKey(>)  19 
NtWaitForSingleObject(>)  346 

NtCreateThread(>)  2 
NtDelayExecution(>)  5 
NtWriteFile(>)  19 
NtClose(>)  360 

NtGdiCreateSolidBrush(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryInformationProcess(>)  20 

Trace:
 00001   316   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   316   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   316   NtAllocateVirtualMemory  (-1, 0, 0, 10485760, 8192, 4, ... 15269888, 10485760, ) == 0x0
 00005   316   NtAllocateVirtualMemory  (-1, 15269888, 0, 4096, 4096, 4, ... 15269888, 4096, ) == 0x0
 00006   316   NtAllocateVirtualMemory  (-1, 15273984, 0, 8192, 4096, 4, ... 15273984, 8192, ) == 0x0
 00007   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   316   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 262144, 65536, ) == 0x0
 00009   316   NtAllocateVirtualMemory  (-1, 262144, 0, 24576, 4096, 4, ... 262144, 24576, ) == 0x0
 00010   316   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   316   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   316   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   316   NtClose  (12, ... ) == 0x0
 00014   316   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   316   NtQueryVolumeInformationFile  (12, 15268552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   316   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 15268536, ... ) }, 15268536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   316   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   316   NtClose  (16, ... ) == 0x0
 00021   316   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   316   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   316   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 15278904, {12, 0, 0}, 15266720, 44, ... 24, {24, 16, 0, 65536, 327680, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 15278904, {12, 0, 0}, 15266720, 44, ... 24, {24, 16, 0, 65536, 327680, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   316   NtClose  (16, ... ) == 0x0
 00026   316   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   316   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   316   NtQueryVirtualMemory  (-1, 0x50000, Basic, 28, ... {BaseAddress=0x50000,AllocationBase=0x50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   316   NtAllocateVirtualMemory  (-1, 327680, 0, 4096, 4096, 4, ... 327680, 4096, ) == 0x0
 00031   316   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 312, 316, 1438, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 312, 316, 1438, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 312, 316, 1438, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   316   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   316   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   316   NtClose  (16, ... ) == 0x0
 00036   316   NtAllocateVirtualMemory  (-1, 15257600, 0, 4096, 4096, 260, ... 15257600, 4096, ) == 0x0
 00037   316   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   316   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x60000), 0x0, 90112, ) == 0x0
 00040   316   NtClose  (28, ... ) == 0x0
 00041   316   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   316   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x80000), 0x0, 212992, ) == 0x0
 00044   316   NtClose  (28, ... ) == 0x0
 00045   316   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc0000), 0x0, 266240, ) == 0x0
 00047   316   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   316   NtClose  (28, ... ) == 0x0
 00049   316   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x110000), 0x0, 24576, ) == 0x0
 00051   316   NtClose  (28, ... ) == 0x0
 00052   316   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   316   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   316   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   316   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 312, 316, 1440, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 312, 316, 1440, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 312, 316, 1440, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 8, ) == 0x0
 00057   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 8, ... (0x480000), 4096, 4, ) == 0x0
 00058   316   NtFlushInstructionCache  (-1, 4718592, 4096, ... ) == 0x0
 00059   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   316   NtClose  (28, ... ) == 0x0
 00062   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   316   NtClose  (28, ... ) == 0x0
 00065   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00066   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00067   316   NtFlushInstructionCache  (-1, 4718592, 4096, ... ) == 0x0
 00068   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00070   316   NtClose  (28, ... ) == 0x0
 00071   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00073   316   NtClose  (28, ... ) == 0x0
 00074   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00076   316   NtClose  (28, ... ) == 0x0
 00077   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00079   316   NtClose  (28, ... ) == 0x0
 00080   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00081   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00082   316   NtFlushInstructionCache  (-1, 4718592, 4096, ... ) == 0x0
 00083   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00084   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00085   316   NtFlushInstructionCache  (-1, 4718592, 4096, ... ) == 0x0
 00086   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00088   316   NtClose  (28, ... ) == 0x0
 00089   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   316   NtClose  (28, ... ) == 0x0
 00092   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   316   NtClose  (28, ... ) == 0x0
 00095   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   316   NtClose  (28, ... ) == 0x0
 00098   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   316   NtClose  (28, ... ) == 0x0
 00101   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00102   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00103   316   NtFlushInstructionCache  (-1, 4718592, 4096, ... ) == 0x0
 00104   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   316   NtAllocateVirtualMemory  (-1, 15282176, 0, 4096, 4096, 4, ... 15282176, 4096, ) == 0x0
 00106   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 15267328, ... ) }, 15267328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   316   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 15267328, ... ) }, 15267328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 15267328, ... ) }, 15267328, ... ) == 0x0
 00109   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   316   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   316   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   316   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   316   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   316   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   316   NtClose  (40, ... ) == 0x0
 00118   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   316   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   316   NtClose  (40, ... ) == 0x0
 00122   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   316   NtClose  (36, ... ) == 0x0
 00124   316   NtClose  (28, ... ) == 0x0
 00125   316   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   316   NtClose  (32, ... ) == 0x0
 00127   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 15266524, ... ) }, 15266524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   316   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 15266524, ... ) }, 15266524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 15266524, ... ) }, 15266524, ... ) == 0x0
 00131   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   316   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   316   NtClose  (32, ... ) == 0x0
 00135   316   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   316   NtClose  (28, ... ) == 0x0
 00137   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00138   316   NtProtectVirtualMemory  (-1, (0x480000), 4096, 4, ... (0x480000), 4096, 4, ) == 0x0
 00139   316   NtFlushInstructionCache  (-1, 4718592, 4096, ... ) == 0x0
 00140   316   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   316   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   316   NtClose  (28, ... ) == 0x0
 00143   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   316   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   316   NtClose  (28, ... ) == 0x0
 00146   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   316   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   316   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   316   NtClose  (28, ... ) == 0x0
 00150   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   316   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   316   NtClose  (28, ... ) == 0x0
 00153   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   316   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   316   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 1179648, 65536, ) == 0x0
 00158   316   NtAllocateVirtualMemory  (-1, 1179648, 0, 4096, 4096, 4, ... 1179648, 4096, ) == 0x0
 00159   316   NtAllocateVirtualMemory  (-1, 1183744, 0, 8192, 4096, 4, ... 1183744, 8192, ) == 0x0
 00160   316   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   316   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x130000), 0x0, 12288, ) == 0x0
 00162   316   NtClose  (32, ... ) == 0x0
 00163   316   NtAllocateVirtualMemory  (-1, 1191936, 0, 4096, 4096, 4, ... 1191936, 4096, ) == 0x0
 00164   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   316   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 15267824, 256, 15267568, 256}  (24, {28, 56, new_msg, 0, 15267824, 256, 15267568, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\350\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 312, 316, 1451, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\350\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 312, 316, 1451, 0}  (24, {28, 56, new_msg, 0, 15267824, 256, 15267568, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\350\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 312, 316, 1451, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\350\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   316   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x210000), 0x0, 1060864, ) == 0x0
 00168   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   316   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   316   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00171   316   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   316   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   316   NtClose  (-2147482020, ... ) == 0x0
 00174   316   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3276800, 4096, ) == 0x0
 00175   316   NtFreeVirtualMemory  (-1, (0x320000), 4096, 32768, ... (0x320000), 4096, ) == 0x0
 00176   316   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   316   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   316   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   316   NtClose  (-2147482020, ... ) == 0x0
 00180   316   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00181   316   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   316   NtClose  (-2147482020, ... ) == 0x0
 00183   316   NtQueryDefaultLocale  (0, -133395956, ... ) == 0x0
 00184   316   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   316   NtUserCallNoParam  (24, ... ) == 0x0
 00186   316   NtGdiCreateCompatibleDC  (0, ...
 00187   316   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3276800, 4096, ) == 0x0
 00186   316   NtGdiCreateCompatibleDC  ... ) == 0x60103e6
 00188   316   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   316   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   316   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc0503c9
 00191   316   NtGdiCreateSolidBrush  (0, 0, ...
 00192   316   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3342336, 4096, ) == 0x0
 00191   316   NtGdiCreateSolidBrush  ... ) == 0x51003d9
 00193   316   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   316   NtGdiCreateCompatibleDC  (0, ... ) == 0x80103d1
 00195   316   NtGdiSelectBitmap  (134284241, 201655241, ... ) == 0x185000f
 00196   316   NtUserGetThreadDesktop  (316, 0, ... ) == 0x2c
 00197   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   316   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   316   NtClose  (52, ... ) == 0x0
 00200   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00201   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 673, 128, 0, ... ) == 0x810ec017
 00202   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00203   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 674, 128, 0, ... ) == 0x810ec01c
 00204   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00205   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 675, 128, 0, ... ) == 0x810ec01e
 00206   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00207   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 676, 128, 0, ... ) == 0x810e8002
 00208   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10013
 00209   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 677, 128, 0, ... ) == 0x810ec018
 00210   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00211   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 678, 128, 0, ... ) == 0x810ec01a
 00212   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00213   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 679, 128, 0, ... ) == 0x810ec01d
 00214   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00215   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 681, 128, 0, ... ) == 0x810ec026
 00216   316   NtUserFindExistingCursorIcon  (15265908, 15265924, 15266492, ... ) == 0x10011
 00217   316   NtUserRegisterClassExWOW  (15266428, 15266508, 15266492, 15266524, 680, 128, 0, ... ) == 0x810ec019
 00218   316   NtUserRegisterClassExWOW  (15266380, 15266460, 15266444, 15266476, 0, 128, 0, ... ) == 0x810ec020
 00219   316   NtUserRegisterClassExWOW  (15266380, 15266456, 15266472, 15266444, 0, 130, 0, ... ) == 0x810ec022
 00220   316   NtUserRegisterClassExWOW  (15266380, 15266460, 15266444, 15266476, 0, 128, 0, ...
 00221   316   NtAllocateVirtualMemory  (-1, 25849856, 0, 4096, 4096, 32, ... 25849856, 4096, ) == 0x0
 00220   316   NtUserRegisterClassExWOW  ... ) == 0x810ec023
 00222   316   NtUserRegisterClassExWOW  (15266380, 15266456, 15266472, 15266444, 0, 130, 0, ... ) == 0x810ec024
 00223   316   NtUserRegisterClassExWOW  (15266380, 15266460, 15266444, 15266476, 0, 128, 0, ... ) == 0x810ec025
 00224   316   NtCallbackReturn  (0, 0, 0, ...
 00225   316   NtGdiInit  (... ) == 0x1
 00226   316   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   316   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   316   NtAllocateVirtualMemory  (-1, 15286272, 0, 4096, 4096, 4, ... 15286272, 4096, ) == 0x0
 00231   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   316   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   316   NtClose  (52, ... ) == 0x0
 00234   316   NtAllocateVirtualMemory  (-1, 15290368, 0, 4096, 4096, 4, ... 15290368, 4096, ) == 0x0
 00235   316   NtAllocateVirtualMemory  (-1, 15294464, 0, 4096, 4096, 4, ... 15294464, 4096, ) == 0x0
 00236   316   NtAllocateVirtualMemory  (-1, 15298560, 0, 4096, 4096, 4, ... 15298560, 4096, ) == 0x0
 00237   316   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   316   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 15268236, 0,  (0x1f0003, {24, 52, 0x80, 15268236, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   316   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   316   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   316   NtClose  (60, ... ) == 0x0
 00245   316   NtAllocateVirtualMemory  (-1, 15302656, 0, 4096, 4096, 4, ... 15302656, 4096, ) == 0x0
 00246   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   316   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   316   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   316   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   316   NtClose  (60, ... ) == 0x0
 00255   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   316   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   316   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   316   NtClose  (60, ... ) == 0x0
 00259   316   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   316   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   316   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   316   NtAllocateVirtualMemory  (-1, 15306752, 0, 8192, 4096, 4, ... 15306752, 8192, ) == 0x0
 00265   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   316   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   316   NtClose  (60, ... ) == 0x0
 00269   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   316   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 15204608, ... ) == 0x0
 00271   316   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   316   NtQueryDefaultUILanguage  (15266472, ...
 00273   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00275   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   316   NtClose  (-2147482020, ... ) == 0x0
 00277   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00278   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00280   316   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   316   NtClose  (-2147482024, ... ) == 0x0
 00282   316   NtClose  (-2147482020, ... ) == 0x0
 00272   316   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   316   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   316   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   316   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x340000), 0x0, 593920, ) == 0x0
 00288   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   316   NtQueryDefaultUILanguage  (2013024600, ...
 00290   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00292   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   316   NtClose  (-2147482020, ... ) == 0x0
 00294   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00295   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00297   316   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   316   NtClose  (-2147482024, ... ) == 0x0
 00299   316   NtClose  (-2147482020, ... ) == 0x0
 00289   316   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   316   NtAllocateVirtualMemory  (-1, 15253504, 0, 4096, 4096, 260, ... 15253504, 4096, ) == 0x0
 00301   316   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   316   NtQueryDefaultLocale  (1, 15264508, ... ) == 0x0
 00303   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   316   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 15265364, 1, 96, 0}  (24, {128, 156, new_msg, 0, 15265364, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275;\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1452, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275;\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\350\0\0\0\0\0" )  ... {128, 156, reply, 0, 312, 316, 1452, 0}  (24, {128, 156, new_msg, 0, 15265364, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275;\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1452, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275;\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\350\0\0\0\0\0" )  ) == 0x0
 00305   316   NtClose  (68, ... ) == 0x0
 00306   316   NtClose  (72, ... ) == 0x0
 00307   316   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00308   316   NtUnmapViewOfSection  (-1, 0xe8f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   316   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 15263048, ... ) }, 15263048, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 15263640, ... ) }, 15263640, ... ) == 0x0
 00318   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   316   NtClose  (68, ... ) == 0x0
 00323   316   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1b90000), 0x0, 921600, ) == 0x0
 00324   316   NtClose  (76, ... ) == 0x0
 00325   316   NtUnmapViewOfSection  (-1, 0x1b90000, ... ) == 0x0
 00326   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   316   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   316   NtClose  (76, ... ) == 0x0
 00330   316   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   316   NtClose  (68, ... ) == 0x0
 00332   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   316   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   316   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   316   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   316   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 15264824, ... ) , 42, 15264824, ... ) == 0x0
 00354   316   NtQueryDefaultUILanguage  (15263540, ...
 00355   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00357   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   316   NtClose  (-2147482020, ... ) == 0x0
 00359   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00360   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00362   316   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   316   NtClose  (-2147482024, ... ) == 0x0
 00364   316   NtClose  (-2147482020, ... ) == 0x0
 00354   316   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 15262392, ... ) }, 15262392, ... ) == 0x0
 00367   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   316   NtClose  (68, ... ) == 0x0
 00370   316   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 4096, ) == 0x0
 00371   316   NtClose  (76, ... ) == 0x0
 00372   316   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00373   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 15262032, ... ) }, 15262032, ... ) == 0x0
 00374   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 15262732,  (0x80100080, {24, 0, 0x40, 0, 15262732, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   316   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   316   NtClose  (76, ... ) == 0x0
 00377   316   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x340000), {0, 0}, 4096, ) == 0x0
 00378   316   NtClose  (68, ... ) == 0x0
 00379   316   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00380   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   316   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   316   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x340000), 0x0, 4096, ) == 0x0
 00383   316   NtQueryInformationFile  (68, 15262352, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   316   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 15262432, 1, 96, 0}  (24, {128, 156, new_msg, 0, 15262432, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1453, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\350\0\0\0\0\0" )  ... {128, 156, reply, 0, 312, 316, 1453, 0}  (24, {128, 156, new_msg, 0, 15262432, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1453, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\350\0\0\0\0\0" )  ) == 0x0
 00386   316   NtClose  (68, ... ) == 0x0
 00387   316   NtClose  (76, ... ) == 0x0
 00388   316   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00389   316   NtUnmapViewOfSection  (-1, 0xe8e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   316   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   316   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   316   NtUserGetDC  (0, ... ) == 0x1010051
 00394   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00395   316   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   316   NtUserSystemParametersInfo  (66, 12, 15264844, 0, ... ) == 0x1
 00397   316   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   316   NtAccessCheck  (15303592, 76, 0x1, 15264248, 15264192, 56, 15264276, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   316   NtClose  (76, ... ) == 0x0
 00400   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   316   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   316   NtClose  (76, ... ) == 0x0
 00403   316   NtUserSystemParametersInfo  (41, 500, 15264344, 0, ... ) == 0x1
 00404   316   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   316   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   316   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   316   NtClose  (68, ... ) == 0x0
 00409   316   NtClose  (76, ... ) == 0x0
 00410   316   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   316   NtUserSystemParametersInfo  (4130, 0, 15264868, 0, ... ) == 0x1
 00412   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   316   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   316   NtClose  (76, ... ) == 0x0
 00415   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00416   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec03b
 00417   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec03d
 00418   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00419   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec03f
 00420   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00421   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec041
 00422   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00423   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec043
 00424   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec045
 00425   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00426   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec047
 00427   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00428   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec049
 00429   316   NtUserGetClassInfo  (1905590272, 15264764, 15264716, 15264792, 0, ... ) == 0xc049
 00430   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00431   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec04b
 00432   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00433   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec04d
 00434   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00435   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec04f
 00436   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec051
 00437   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00438   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec053
 00439   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00440   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec055
 00441   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec057
 00442   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00443   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec059
 00444   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10013
 00445   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec05b
 00446   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00447   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec05d
 00448   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00449   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec05f
 00450   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00451   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec017
 00452   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00453   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec019
 00454   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10013
 00455   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec018
 00456   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00457   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec01a
 00458   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00459   316   NtUserRegisterClassExWOW  (15264600, 15264680, 15264664, 15264696, 0, 384, 0, ... ) == 0x810ec01c
 00460   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00461   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec01e
 00462   316   NtUserFindExistingCursorIcon  (15264148, 15264164, 15264732, ... ) == 0x10011
 00463   316   NtUserRegisterClassExWOW  (15264660, 15264740, 15264724, 15264756, 0, 384, 0, ... ) == 0x810ec01b
 00464   316   NtUserFindExistingCursorIcon  (15264144, 15264160, 15264728, ... ) == 0x10011
 00465   316   NtUserRegisterClassExWOW  (15264656, 15264736, 15264720, 15264752, 0, 384, 0, ...
 00466   316   NtAllocateVirtualMemory  (-1, 25853952, 0, 4096, 4096, 32, ... 25853952, 4096, ) == 0x0
 00465   316   NtUserRegisterClassExWOW  ... ) == 0x810ec068
 00467   316   NtUserFindExistingCursorIcon  (15264152, 15264168, 15264736, ... ) == 0x10011
 00468   316   NtUserRegisterClassExWOW  (15264604, 15264684, 15264668, 15264700, 0, 384, 0, ... ) == 0x810ec06a
 00469   316   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   316   NtTestAlert  (... ) == 0x0
 00473   316   NtContinue  (15269168, 1, ...
 00474   316   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x47fd10,}, 4, ... ) == 0x0
 00475   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00476   316   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3407872, 65536, ) == 0x0
 00477   316   NtAllocateVirtualMemory  (-1, 3407872, 0, 4096, 4096, 4, ... 3407872, 4096, ) == 0x0
 00478   316   NtAllocateVirtualMemory  (-1, 3411968, 0, 8192, 4096, 4, ... 3411968, 8192, ) == 0x0
 00479   316   NtAllocateVirtualMemory  (-1, 3420160, 0, 4096, 4096, 4, ... 3420160, 4096, ) == 0x0
 00480   316   NtQueryPerformanceCounter  (... {112054526, 0}, {3579545, 0}, ) == 0x0
 00481   316   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 68, ) == 0x0
 00482   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00483   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00484   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00485   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00486   316   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 80, ) }, ... 80, ) == 0x0
 00487   316   NtQueryValueKey  (80,  (80, "Local AppData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00488   316   NtQueryValueKey  (80,  (80, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) , Partial, 146, ... TitleIdx=0, Type=1, Data= (80, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) }, 146, ) == 0x0
 00489   316   NtQueryValueKey  (80,  (80, "Local AppData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00490   316   NtQueryValueKey  (80,  (80, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) , Partial, 146, ... TitleIdx=0, Type=1, Data= (80, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) }, 146, ) == 0x0
 00491   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00492   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00493   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00494   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00495   316   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\Microsoft\WinTools"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 84, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 84, {status=0x0, info=2}, ) == 0x0
 00496   316   NtClose  (84, ... ) == 0x0
 00497   316   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\Microsoft\WinTools"}, 3, 33, ... 84, {status=0x0, info=1}, ) }, 3, 33, ... 84, {status=0x0, info=1}, ) == 0x0
 00498   316   NtQueryVolumeInformationFile  (84, 15268404, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00499   316   NtClose  (12, ... ) == 0x0
 00500   316   NtAllocateVirtualMemory  (-1, 3424256, 0, 32768, 4096, 4, ... 3424256, 32768, ) == 0x0
 00501   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00502   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00503   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00504   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00505   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00506   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00507   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00508   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00509   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00510   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00511   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00512   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00513   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00514   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00515   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00516   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00517   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00518   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00519   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00520   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00521   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00522   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00523   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00524   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00525   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00526   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00527   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00528   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00529   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00530   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00531   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00532   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00533   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00534   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00535   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00536   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00537   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00538   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00539   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00540   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00541   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00542   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00543   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00544   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00545   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00546   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00547   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00548   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00549   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00550   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00551   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00552   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00553   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00554   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00555   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00556   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00557   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00558   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00559   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00560   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00561   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00562   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00563   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00564   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00565   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00566   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00567   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00568   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00569   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00570   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00571   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00572   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00573   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00574   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00575   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00576   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00577   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00578   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00579   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00580   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00581   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00582   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00583   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00584   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00585   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00586   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00587   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00588   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00589   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00590   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00591   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00592   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00593   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00594   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00595   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00596   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00597   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00598   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00599   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00600   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00601   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00602   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00603   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00604   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00605   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00606   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00607   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00608   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00609   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00610   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00611   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00612   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00613   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00614   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00615   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00616   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00617   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00618   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00619   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00620   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00621   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00622   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00623   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00624   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00625   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00626   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00627   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00628   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00629   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00630   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00631   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00632   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00633   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00634   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00635   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00636   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00637   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00638   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00639   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00640   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00641   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00642   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00643   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00644   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00645   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00646   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00647   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00648   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00649   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00650   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00651   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00652   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00653   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00654   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00655   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00656   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00657   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00658   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00659   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00660   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00661   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00662   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00663   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00664   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00665   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00666   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00667   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00668   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00669   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00670   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00671   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00672   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00673   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00674   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00675   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00676   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00677   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00678   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00679   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00680   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00681   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00682   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00683   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00684   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00685   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00686   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00687   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00688   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00689   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00690   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00691   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00692   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00693   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00694   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00695   316   NtAllocateVirtualMemory  (-1, 3457024, 0, 4096, 4096, 4, ... 3457024, 4096, ) == 0x0
 00696   316   NtAllocateVirtualMemory  (-1, 3461120, 0, 12288, 4096, 4, ... 3461120, 12288, ) == 0x0
 00697   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 12, ) == 0x0
 00698   316   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00699   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00700   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00701   316   NtSetEvent  (96, ... 0x0, ) == 0x0
 00702   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 00703   316   NtAllocateVirtualMemory  (-1, 0, 0, 76800032, 4096, 4, ... 28901376, 76804096, ) == 0x0
 00704   316   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\WAB\DLLPath"}, ... 104, ) }, ... 104, ) == 0x0
 00705   316   NtQueryValueKey  (104, " (104, "", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0S\0y\0s\0t\0e\0m\0\\0w\0a\0b\03\02\0.\0d\0l\0l\0\0\0"}, 106, ) C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0S\0y\0s\0t\0e\0m\0\\0w\0a\0b\03\02\0.\0d\0l\0l\0\0\0"}, 106, ) == 0x0
 00706   316   NtQueryValueKey  (104, " (104, "", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0S\0y\0s\0t\0e\0m\0\\0w\0a\0b\03\02\0.\0d\0l\0l\0\0\0"}, 106, ) C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0S\0y\0s\0t\0e\0m\0\\0w\0a\0b\03\02\0.\0d\0l\0l\0\0\0"}, 106, ) == 0x0
 00707   316   NtClose  (104, ... ) == 0x0
 00708   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32.dll"}, 15266588, ... ) }, 15266588, ... ) == 0x0
 00709   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00710   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00711   316   NtClose  (104, ... ) == 0x0
 00712   316   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 462848, ) == 0x0
 00713   316   NtClose  (108, ... ) == 0x0
 00714   316   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00715   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32.dll"}, 15266904, ... ) }, 15266904, ... ) == 0x0
 00716   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32.dll"}, 15266904, ... ) }, 15266904, ... ) == 0x0
 00717   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00718   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00719   316   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00720   316   NtClose  (108, ... ) == 0x0
 00721   316   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5a900000), 0x0, 475136, ) == 0x0
 00722   316   NtClose  (104, ... ) == 0x0
 00723   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSOERT2.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSOERT2.dll"}, 15266092, ... ) }, 15266092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00725   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "MSOERT2.dll"}, 15266092, ... ) }, 15266092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSOERT2.dll"}, 15266092, ... ) }, 15266092, ... ) == 0x0
 00727   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSOERT2.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00728   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00729   316   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00730   316   NtClose  (104, ... ) == 0x0
 00731   316   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74d60000), 0x0, 126976, ) == 0x0
 00732   316   NtClose  (108, ... ) == 0x0
 00733   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00734   316   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00735   316   NtClose  (108, ... ) == 0x0
 00736   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00737   316   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3538944, 65536, ) == 0x0
 00738   316   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00739   316   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ... 3543040, 8192, ) == 0x0
 00740   316   NtQueryDefaultUILanguage  (15265448, ...
 00741   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00742   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00743   316   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00744   316   NtClose  (-2147482032, ... ) == 0x0
 00745   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00746   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747   316   NtOpenKey  (0x80000000, {24, -2147482036, 0x640, 0, 0,  (0x80000000, {24, -2147482036, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00748   316   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   316   NtClose  (-2147482032, ... ) == 0x0
 00750   316   NtClose  (-2147482036, ... ) == 0x0
 00740   316   NtQueryDefaultUILanguage  ... ) == 0x0
 00751   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00752   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 15264300, ... ) }, 15264300, ... ) == 0x0
 00753   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00754   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 104, ) == 0x0
 00755   316   NtClose  (108, ... ) == 0x0
 00756   316   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00757   316   NtClose  (104, ... ) == 0x0
 00758   316   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00759   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 15263940, ... ) }, 15263940, ... ) == 0x0
 00760   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 15264640,  (0x80100080, {24, 0, 0x40, 0, 15264640, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00761   316   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 104, ... 108, ) == 0x0
 00762   316   NtClose  (104, ... ) == 0x0
 00763   316   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00764   316   NtClose  (108, ... ) == 0x0
 00765   316   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00766   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00767   316   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 104, ) == 0x0
 00768   316   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00769   316   NtQueryInformationFile  (108, 15264260, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00770   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771   316   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 15264340, 1, 96, 0}  (24, {128, 156, new_msg, 0, 15264340, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1l\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0T\361\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1513, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1l\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0T\361\350\0\0\0\0\0" )  ... {128, 156, reply, 0, 312, 316, 1513, 0}  (24, {128, 156, new_msg, 0, 15264340, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1l\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0T\361\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1513, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1l\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0T\361\350\0\0\0\0\0" )  ) == 0x0
 00772   316   NtClose  (108, ... ) == 0x0
 00773   316   NtClose  (104, ... ) == 0x0
 00774   316   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00775   316   NtUnmapViewOfSection  (-1, 0xe8f154, ... ) == STATUS_NOT_MAPPED_VIEW
 00776   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00777   316   NtAllocateVirtualMemory  (-1, 15314944, 0, 4096, 4096, 4, ... 15314944, 4096, ) == 0x0
 00778   316   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00780   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00781   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 15263156, ... ) }, 15263156, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00783   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00784   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00785   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 15263748, ... ) }, 15263748, ... ) == 0x0
 00786   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 104, {status=0x0, info=1}, ) }, 3, 33, ... 104, {status=0x0, info=1}, ) == 0x0
 00787   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00788   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 108, ) }, ... 108, ) == 0x0
 00789   316   NtQueryValueKey  (108,  (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00790   316   NtClose  (108, ... ) == 0x0
 00791   316   NtQueryDefaultUILanguage  (15265252, ...
 00792   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00793   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00794   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00795   316   NtClose  (-2147482020, ... ) == 0x0
 00796   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00797   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00799   316   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   316   NtClose  (-2147482032, ... ) == 0x0
 00801   316   NtClose  (-2147482020, ... ) == 0x0
 00791   316   NtQueryDefaultUILanguage  ... ) == 0x0
 00802   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00804   316   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 112, ) == 0x0
 00805   316   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x64d0000), 0x0, 8323072, ) == 0x0
 00806   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   316   NtQueryDefaultLocale  (1, 15263288, ... ) == 0x0
 00808   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   316   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 15264144, 1, 96, 0}  (24, {128, 156, new_msg, 0, 15264144, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\204\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\220\360\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1514, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\204\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\220\360\350\0\0\0\0\0" )  ... {128, 156, reply, 0, 312, 316, 1514, 0}  (24, {128, 156, new_msg, 0, 15264144, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\354\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\204\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\220\360\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1514, 0} " S\26\0\33\0\1\0\0\0\0\0\1\354\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\204\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\220\360\350\0\0\0\0\0" )  ) == 0x0
 00810   316   NtClose  (108, ... ) == 0x0
 00811   316   NtClose  (112, ... ) == 0x0
 00812   316   NtUnmapViewOfSection  (-1, 0x64d0000, ... ) == 0x0
 00813   316   NtUnmapViewOfSection  (-1, 0xe8f090, ... ) == STATUS_NOT_MAPPED_VIEW
 00814   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00815   316   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00816   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00817   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00818   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 15262372, ... ) }, 15262372, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00820   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00821   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00822   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 15262964, ... ) }, 15262964, ... ) == 0x0
 00823   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 00824   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00825   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00826   316   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00827   316   NtClose  (108, ... ) == 0x0
 00828   316   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {312, 0}, ... 108, ) == 0x0
 00829   316   NtQueryInformationProcess  (108, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00830   316   NtClose  (108, ... ) == 0x0
 00831   316   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00832   316   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00833   316   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00834   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00835   316   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00836   316   NtClose  (108, ... ) == 0x0
 00837   316   NtUserSystemParametersInfo  (41, 500, 15264828, 0, ... ) == 0x1
 00838   316   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00839   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00840   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00841   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec03b
 00842   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00843   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec03d
 00844   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00845   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00846   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec03f
 00847   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00848   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00849   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec041
 00850   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00851   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00852   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec043
 00853   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00854   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec045
 00855   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00856   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00857   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec047
 00858   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00859   316   NtUserFindExistingCursorIcon  (15264616, 15264632, 15265200, ... ) == 0x10011
 00860   316   NtUserRegisterClassExWOW  (15265068, 15265148, 15265132, 15265164, 0, 384, 0, ... ) == 0x810ec049
 00861   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00862   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00863   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec04b
 00864   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00865   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00866   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec04d
 00867   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00868   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00869   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec04f
 00870   316   NtUserGetClassInfo  (1999896576, 15265240, 15265192, 15265268, 0, ... ) == 0x0
 00871   316   NtUserRegisterClassExWOW  (15265076, 15265156, 15265140, 15265172, 0, 384, 0, ... ) == 0x810ec051
 00872   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00873   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00874   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec053
 00875   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00876   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00877   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec055
 00878   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec057
 00879   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00880   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00881   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec059
 00882   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00883   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10013
 00884   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec05b
 00885   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00886   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00887   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec05d
 00888   316   NtUserGetClassInfo  (1999896576, 15265236, 15265188, 15265264, 0, ... ) == 0x0
 00889   316   NtUserFindExistingCursorIcon  (15264620, 15264636, 15265204, ... ) == 0x10011
 00890   316   NtUserRegisterClassExWOW  (15265072, 15265152, 15265136, 15265168, 0, 384, 0, ... ) == 0x810ec05f
 00891   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc03b
 00892   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc03d
 00893   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc03f
 00894   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc041
 00895   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc043
 00896   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc045
 00897   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc047
 00898   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc049
 00899   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc04b
 00900   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc04d
 00901   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc04f
 00902   316   NtUserGetClassInfo  (1999896576, 15266992, 15266944, 15267020, 0, ... ) == 0xc051
 00903   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc053
 00904   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc055
 00905   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc059
 00906   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc05b
 00907   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc05d
 00908   316   NtUserGetClassInfo  (1999896576, 15266988, 15266940, 15267016, 0, ... ) == 0xc05f
 00909   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\International"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   316   NtQueryDefaultUILanguage  (15265360, ...
 00911   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00912   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00913   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00914   316   NtClose  (-2147482020, ... ) == 0x0
 00915   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00916   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00918   316   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   316   NtClose  (-2147482032, ... ) == 0x0
 00920   316   NtClose  (-2147482020, ... ) == 0x0
 00910   316   NtQueryDefaultUILanguage  ... ) == 0x0
 00921   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32res.dll"}, 15262584, ... ) }, 15262584, ... ) == 0x0
 00923   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32res.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00924   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 116, ) == 0x0
 00925   316   NtClose  (108, ... ) == 0x0
 00926   316   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 249856, ) == 0x0
 00927   316   NtClose  (116, ... ) == 0x0
 00928   316   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00929   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32res.dll"}, 15262900, ... ) }, 15262900, ... ) == 0x0
 00930   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32res.dll"}, 15262900, ... ) }, 15262900, ... ) == 0x0
 00931   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\System\wab32res.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00932   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 108, ) == 0x0
 00933   316   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00934   316   NtClose  (116, ... ) == 0x0
 00935   316   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5a8b0000), 0x0, 258048, ) == 0x0
 00936   316   NtClose  (108, ... ) == 0x0
 00937   316   NtUserRegisterWindowMessage  ( ("MSWHEEL_ROLLMSG", ... ) , ... ) == 0xc089
 00938   316   NtUserSystemParametersInfo  (31, 92, 1519807424, 0, ... ) == 0x1
 00939   316   NtQueryDefaultLocale  (1, 15266740, ... ) == 0x0
 00940   316   NtQueryDefaultLocale  (1, 15266740, ... ) == 0x0
 00941   316   NtQueryDefaultLocale  (1, 15266740, ... ) == 0x0
 00942   316   NtQueryDefaultLocale  (1, 15266740, ... ) == 0x0
 00943   316   NtQueryDefaultLocale  (1, 15266740, ... ) == 0x0
 00944   316   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "WAB_Outlook_Event_Refresh_Contacts"}, 0, 0, ... 108, ) }, 0, 0, ... 108, ) == 0x0
 00945   316   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "WAB_Outlook_Event_Refresh_Folders"}, 0, 0, ... 116, ) }, 0, 0, ... 116, ) == 0x0
 00946   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc03b
 00947   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc03d
 00948   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc03f
 00949   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc041
 00950   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc043
 00951   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc045
 00952   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc047
 00953   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc049
 00954   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc04b
 00955   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc04d
 00956   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc04f
 00957   316   NtUserGetClassInfo  (1999896576, 15266964, 15266916, 15266992, 0, ... ) == 0xc051
 00958   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc053
 00959   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc055
 00960   316   NtUserGetClassInfo  (1999896576, 15266960, 15266912, 15266988, 0, ... ) == 0xc05f
 00961   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00962   316   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3735552, 262144, ) == 0x0
 00963   316   NtAllocateVirtualMemory  (-1, 3735552, 0, 4096, 4096, 4, ... 3735552, 4096, ) == 0x0
 00964   316   NtAllocateVirtualMemory  (-1, 3739648, 0, 8192, 4096, 4, ... 3739648, 8192, ) == 0x0
 00965   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 00966   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 00967   316   NtAllocateVirtualMemory  (-1, 15319040, 0, 4096, 4096, 4, ... 15319040, 4096, ) == 0x0
 00968   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 120, ) }, ... 120, ) == 0x0
 00971   316   NtQueryValueKey  (120,  (120, "AppData", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 116, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (120, "AppData", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 116, ) }, 116, ) == 0x0
 00972   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 15264960, ... ) }, 15264960, ... ) == 0x0
 00973   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft"}, 15264960, ... ) }, 15264960, ... ) == 0x0
 00974   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book"}, 15264960, ... ) }, 15264960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   316   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 124, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 124, {status=0x0, info=2}, ) == 0x0
 00976   316   NtClose  (124, ... ) == 0x0
 00977   316   NtClose  (120, ... ) == 0x0
 00978   316   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\Wab File Name"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   316   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   316   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4\Wab File Name"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   316   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4\Wab File Name"}, 0, 0x0, 0, ... ) }, 0, 0x0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00983   316   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Microsoft"}, 0, 0x0, 0, ... 124, 2, ) }, 0, 0x0, 0, ... 124, 2, ) == 0x0
 00984   316   NtClose  (120, ... ) == 0x0
 00985   316   NtCreateKey  (0x2000000, {24, 124, 0x40, 0, 0,  (0x2000000, {24, 124, 0x40, 0, 0, "WAB"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00986   316   NtSetInformationFile  (-2147482732, -133397468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00987   316   NtSetInformationFile  (-2147482732, -133397504, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00988   316   NtSetInformationFile  (-2147482732, -133397940, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00989   316   NtSetInformationFile  (-2147482732, -133397756, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00990   316   NtSetInformationFile  (-2147482732, -133397564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00985   316   NtCreateKey  ... 120, 1, ) == 0x0
 00991   316   NtClose  (124, ... ) == 0x0
 00992   316   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "WAB4"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00993   316   NtSetInformationFile  (-2147482732, -133397836, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00992   316   NtCreateKey  ... 124, 1, ) == 0x0
 00994   316   NtClose  (120, ... ) == 0x0
 00995   316   NtCreateKey  (0xf003f, {24, 124, 0x40, 0, 0,  (0xf003f, {24, 124, 0x40, 0, 0, "Wab File Name"}, 0, 0x0, 0, ... 120, 1, ) }, 0, 0x0, 0, ... 120, 1, ) == 0x0
 00996   316   NtClose  (124, ... ) == 0x0
 00997   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 00998   316   NtQueryValueKey  (124,  (124, "AppData", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 116, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "AppData", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 116, ) }, 116, ) == 0x0
 00999   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 15267608, ... ) }, 15267608, ... ) == 0x0
 01000   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft"}, 15267608, ... ) }, 15267608, ... ) == 0x0
 01001   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book"}, 15267608, ... ) }, 15267608, ... ) == 0x0
 01002   316   NtClose  (124, ... ) == 0x0
 01003   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 15265856, ... ) }, 15265856, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "Secur32.dll"}, 15265856, ... ) }, 15265856, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 15265856, ... ) }, 15265856, ... ) == 0x0
 01007   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01008   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 128, ) == 0x0
 01009   316   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01010   316   NtClose  (124, ... ) == 0x0
 01011   316   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01012   316   NtClose  (128, ... ) == 0x0
 01013   316   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 01014   316   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 01015   316   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 132, ) }, ... 132, ) == 0x0
 01016   316   NtQueryEvent  (132, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01017   316   NtClose  (132, ... ) == 0x0
 01018   316   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 15267388, 140, ... 132, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 15267388, 140, ... 132, 0x0, 0x0, 256, 140, ) == 0x0
 01019   316   NtRequestWaitReplyPort  (132, {28, 52, new_msg, 0, 0, 0, 0, 0}  (132, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\271\0r\1V\372\350\0" ... {176, 200, reply, 0, 312, 316, 1525, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0r\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 312, 316, 1525, 0}  (132, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\271\0r\1V\372\350\0" ... {176, 200, reply, 0, 312, 316, 1525, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0r\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01020   316   NtSetValueKey  (120, 0x0, 0, 1,  (120, 0x0, 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0A\0d\0d\0r\0e\0s\0s\0 \0B\0o\0o\0k\0\\0S\0R\0I\0-\0u\0s\0e\0r\0.\0w\0a\0b\0\0\0", 176, ... , 176, ...
 01021   316   NtSetInformationFile  (-2147482732, -133397084, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01020   316   NtSetValueKey  ... ) == 0x0
 01022   316   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "MPSWabDataAccessMutex"}, 0, ... 136, ) }, 0, ... 136, ) == 0x0
 01023   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01024   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\"}, 3, 16417, ... 140, {status=0x0, info=1}, ) }, 3, 16417, ... 140, {status=0x0, info=1}, ) == 0x0
 01025   316   NtQueryDirectoryFile  (140, 0, 0, 0, 15265444, 616, BothDirectory, 1,  (140, 0, 0, 0, 15265444, 616, BothDirectory, 1, "SRI-user.wab", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01026   316   NtClose  (140, ... ) == 0x0
 01027   316   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 15266944,  (0x40100080, {24, 0, 0x40, 0, 15266944, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01028   316   NtClose  (-2147482020, ... ) == 0x0
 01027   316   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01029   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 164, 0x0, 0, ... {status=0x0, info=164}, ) , 164, 0x0, 0, ... {status=0x0, info=164}, ) == 0x0
 01030   316   NtAllocateVirtualMemory  (-1, 15323136, 0, 36864, 4096, 4, ... 15323136, 36864, ) == 0x0
 01031   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) , 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 01032   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4000, 0x0, 0, ... {status=0x0, info=4000}, ) , 4000, 0x0, 0, ... {status=0x0, info=4000}, ) == 0x0
 01033   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34000, 0x0, 0, ... {status=0x0, info=34000}, ) , 34000, 0x0, 0, ... {status=0x0, info=34000}, ) == 0x0
 01034   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34000, 0x0, 0, ... {status=0x0, info=34000}, ) , 34000, 0x0, 0, ... {status=0x0, info=34000}, ) == 0x0
 01035   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34000, 0x0, 0, ... {status=0x0, info=34000}, ) , 34000, 0x0, 0, ... {status=0x0, info=34000}, ) == 0x0
 01036   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34000, 0x0, 0, ... {status=0x0, info=34000}, ) , 34000, 0x0, 0, ... {status=0x0, info=34000}, ) == 0x0
 01037   316   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34000, 0x0, 0, ... {status=0x0, info=34000}, ) , 34000, 0x0, 0, ... {status=0x0, info=34000}, ) == 0x0
 01038   316   NtClose  (140, ... ) == 0x0
 01039   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15265664,  (0xc0100080, {24, 0, 0x40, 0, 15265664, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 01040   316   NtSetInformationFile  (140, 15267004, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01041   316   NtReadFile  (140, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (140, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244", ) , ) == 0x0
 01042   316   NtSetInformationFile  (140, 15266976, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01043   316   NtReadFile  (140, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (140, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01044   316   NtQueryInformationFile  (140, 15266980, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01045   316   NtSetInformationFile  (140, 15267024, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01046   316   NtReadFile  (140, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (140, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01047   316   NtClose  (140, ... ) == 0x0
 01048   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01049   316   NtClose  (120, ... ) == 0x0
 01050   316   NtUserGetClassInfo  (1519386624, 15268636, 15268588, 15268664, 0, ... ) == 0x0
 01051   316   NtUserRegisterClassExWOW  (15268476, 15268556, 15268540, 15268572, 0, 384, 0, ... ) == 0x810ec0ca
 01052   316   NtUserCreateWindowEx  (0, 15268520, 15268332,  (0, 15268520, 15268332, "WAB Notification Window", -2147483648, 0, 0, 0, 0, 0, 0, 1519386624, 3743600, 1073742848, 0, ... , -2147483648, 0, 0, 0, 0, 0, 0, 1519386624, 3743600, 1073742848, 0, ...
 01053   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 15264716, ... ) }, 15264716, ... ) == 0x0
 01054   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 01055   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 140, ) == 0x0
 01056   316   NtClose  (120, ... ) == 0x0
 01057   316   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x64d0000), 0x0, 204800, ) == 0x0
 01058   316   NtClose  (140, ... ) == 0x0
 01059   316   NtUnmapViewOfSection  (-1, 0x64d0000, ... ) == 0x0
 01060   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 15265032, ... ) }, 15265032, ... ) == 0x0
 01061   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01062   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 120, ) == 0x0
 01063   316   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01064   316   NtClose  (140, ... ) == 0x0
 01065   316   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01066   316   NtClose  (120, ... ) == 0x0
 01067   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01068   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01069   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01070   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01071   316   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01072   316   NtClose  (120, ... ) == 0x0
 01073   316   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 01074   316   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 140, ) }, ... 140, ) == 0x0
 01075   316   NtQueryValueKey  (140,  (140, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01076   316   NtClose  (140, ... ) == 0x0
 01077   316   NtClose  (120, ... ) == 0x0
 01078   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01079   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01080   316   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01081   316   NtClose  (120, ... ) == 0x0
 01082   316   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 01083   316   NtOpenKey  (0x1, {24, 120, 0x40, 0, 0,  (0x1, {24, 120, 0x40, 0, 0, "Control Panel\Desktop"}, ... 140, ) }, ... 140, ) == 0x0
 01084   316   NtQueryValueKey  (140,  (140, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085   316   NtClose  (140, ... ) == 0x0
 01086   316   NtClose  (120, ... ) == 0x0
 01087   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 15264532, ... ) }, 15264532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "UxTheme.dll"}, 15264532, ... ) }, 15264532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 15264532, ... ) }, 15264532, ... ) == 0x0
 01090   316   NtUserGetProcessWindowStation  (... ) == 0x28
 01091   316   NtUserGetObjectInformation  (40, 2, 0, 0, 15266828, ... ) == 0x0
 01092   316   NtUserGetObjectInformation  (40, 2, 15316280, 16, 15266828, ... ) == 0x1
 01093   316   NtUserGetGUIThreadInfo  (316, 15266784, ... ) == 0x1
 01094   316   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 15266604, 64, ... 120, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 15266604, 64, ... 120, 0x0, 0x0, 0x0, 64, ) == 0x0
 01095   316   NtRequestWaitReplyPort  (120, {32, 56, new_msg, 0, 0, 0, 0, 0}  (120, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 312, 316, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 312, 316, 1527, 0}  (120, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 312, 316, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01096   316   NtRequestWaitReplyPort  (120, {32, 56, new_msg, 0, 0, 0, 0, 0}  (120, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 312, 316, 1528, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 312, 316, 1528, 0}  (120, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 312, 316, 1528, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01097   316   NtUserCallNoParam  (29, ...
 01098   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 15264076, ... ) }, 15264076, ... ) == 0x0
 01097   316   NtUserCallNoParam  ... ) == 0x0
 01099   316   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01100   316   NtGdiHfontCreate  (15266156, 356, 0, 0, 15303664, ... ) == 0xf0a03ea
 01101   316   NtGdiHfontCreate  (15266156, 356, 0, 0, 15303656, ... ) == 0x80a03e5
 01102   316   NtRequestWaitReplyPort  (120, {32, 56, new_msg, 0, 0, 0, 0, 0}  (120, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 312, 316, 1529, 0} "\0\0\0\0\0\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 312, 316, 1529, 0}  (120, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 312, 316, 1529, 0} "\0\0\0\0\0\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01103   316   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x64d0000), {0, 0}, 331776, ) == 0x0
 01104   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01105   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01106   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01107   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01108   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01109   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01110   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01111   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01112   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01113   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01114   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01115   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01116   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01117   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01118   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01119   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01120   316   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01121   316   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1110040b
 01122   316   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01123   316   NtUserCallNoParam  (29, ...
 01124   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 15263520, ... ) }, 15263520, ... ) == 0x0
 01123   316   NtUserCallNoParam  ... ) == 0x0
 01125   316   NtUserCallNoParam  (29, ...
 01126   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 15263516, ... ) }, 15263516, ... ) == 0x0
 01125   316   NtUserCallNoParam  ... ) == 0x0
 01127   316   NtUserMessageCall  (0x200b0, WM_NCCREATE, 0x0, 0xe8f524, 0, 670, 0, ... ) == 0x1
 01128   316   NtUserMessageCall  (0x200b0, WM_NCCALCSIZE, 0x0, 0xe8f54c, 0, 670, 0, ... ) == 0x0
 01129   316   NtUserSetProp  (131248, 43288, -1, ... ) == 0x1
 01130   316   NtUserSetWindowLong  (131248, -21, 3743600, 0, ... ) == 0x0
 01052   316   NtUserCreateWindowEx  ... ) == 0x200b0
 01131   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0
 01132   316   NtAllocateVirtualMemory  (-1, 0, 0, 10485760, 8192, 4, ... 106102784, 10485760, ) == 0x0
 01133   316   NtAllocateVirtualMemory  (-1, 116580352, 0, 8192, 4096, 4, ... 116580352, 8192, ) == 0x0
 01134   316   NtProtectVirtualMemory  (-1, (0x6f2e000), 4096, 260, ... (0x6f2e000), 4096, 4, ) == 0x0
 01135   316   NtCreateThread  (0x1f03ff, 0x0, -1, 15267944, 15268660, 1, ... 148, {312, 596}, ) == 0x0
 01136   316   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=312,Tid=596,}, 0x0, ) == 0x0
 01137   316   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 3, 15267852, 15267824}  (24, {28, 56, new_msg, 0, 0, 3, 15267852, 15267824} "\0\0\0\0\1\0\1\0\0\0\0\0\0\340\375\177\224\0\0\08\1\0\0T\2\0\0" ... {28, 56, reply, 0, 312, 316, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\340\375\177\224\0\0\08\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 312, 316, 1530, 0}  (24, {28, 56, new_msg, 0, 0, 3, 15267852, 15267824} "\0\0\0\0\1\0\1\0\0\0\0\0\0\340\375\177\224\0\0\08\1\0\0T\2\0\0" ... {28, 56, reply, 0, 312, 316, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\340\375\177\224\0\0\08\1\0\0T\2\0\0" )  ) == 0x0
 01138   316   NtResumeThread  (148, ... 1, ) == 0x0
 01139   316   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "MPSWABOlkStoreNotifyMutex"}, 0, ... 152, ) }, 0, ... 152, ) == 0x0
 01140   316   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01141   596   NtAllocateVirtualMemory  (-1, 1196032, 0, 4096, 4096, 4, ... 1196032, 4096, ) == 0x0
 01142   596   NtTestAlert  (... ) == 0x0
 01143   596   NtContinue  (116587824, 1, ...
 01144   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01145   596   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book"}, 7, 16385, ... 160, {status=0x0, info=1}, ) }, 7, 16385, ... 160, {status=0x0, info=1}, ) == 0x0
 01146   596   NtNotifyChangeDirectoryFile  (160, 0, 0, 0, 2012047152, 2012047168, 32, 16, 0, ... ) == 0x103
 01147   316   NtSetValueKey  (156,  (156, "OlkContactRefresh", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (156, "OlkContactRefresh", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01148   316   NtSetValueKey  (156,  (156, "OlkFolderRefresh", 0, 4, "\0\0\0\0", 4, ... , 0, 4,  (156, "OlkFolderRefresh", 0, 4, "\0\0\0\0", 4, ... , 4, ...
 01149   316   NtSetInformationFile  (-2147482732, -133397132, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01148   316   NtSetValueKey  ... ) == 0x0
 01150   316   NtClose  (156, ... ) == 0x0
 01151   316   NtCreateKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01152   316   NtQueryValueKey  (156,  (156, "OlkContactRefresh", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "OlkContactRefresh", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01153   596   NtWaitForMultipleObjects  (2, (160, 144, ), 1, 0, 0x0, ...
 01154   316   NtQueryValueKey  (156,  (156, "OlkFolderRefresh", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "OlkFolderRefresh", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01155   316   NtClose  (156, ... ) == 0x0
 01156   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01157   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01158   316   NtSetInformationFile  (156, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01159   316   NtReadFile  (156, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (156, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01160   316   NtSetInformationFile  (156, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01161   316   NtReadFile  (156, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (156, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01162   316   NtClose  (156, ... ) == 0x0
 01163   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01164   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01165   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01166   316   NtSetInformationFile  (156, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01167   316   NtReadFile  (156, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (156, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01168   316   NtSetInformationFile  (156, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01169   316   NtWriteFile  (156, 0, 0, 0,  (156, 0, 0, 0, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\4\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0", 108, 0x0, 0, ... {status=0x0, info=108}, ) , 108, 0x0, 0, ... {status=0x0, info=108}, ) == 0x0
 01170   316   NtSetInformationFile  (156, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01171   316   NtWriteFile  (156, 0, 0, 0,  (156, 0, 0, 0, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0l\0\0\0\244\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 164, 0x0, 0, ... {status=0x0, info=164}, ) , 164, 0x0, 0, ... {status=0x0, info=164}, ) == 0x0
 01172   316   NtClose  (156, ...
 01153   596   NtWaitForMultipleObjects  ... ) == 0x0
 01173   596   NtNotifyChangeDirectoryFile  (160, 0, 0, 0, 2012047152, 2012047168, 32, 3, 1, ... ) == 0x103
 01174   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01175   596   NtCallbackReturn  (0, 0, 0, ...
 01176   596   NtUserCallOneParam  (131248, 47, ... ) == 0x18a8d30
 01177   596   NtUserMessageCall  (0x200b0, WM_USER+0x66, 0x0, 0x0, 0, 688, 0, ...
 01172   316   NtClose  ... ) == 0x0
 01178   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01179   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01180   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01181   316   NtSetInformationFile  (164, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01182   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0l\0\0\0\244\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01183   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01184   316   NtReadFile  (164, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (164, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\4\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01185   316   NtClose  (164, ... ) == 0x0
 01186   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01187   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01188   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01189   316   NtSetInformationFile  (164, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01190   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0l\0\0\0\244\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01191   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01192   316   NtWriteFile  (164, 0, 0, 0,  (164, 0, 0, 0, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\4\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0\2012\204\301\205\5\320\21\262\220\0\252\0<\366v\12\0\0\0\0\0\4\200\16\0\0\0\1\03\02\07\06\09\0\0\0\0\0\5\200\16\0\0\0\1\03\02\07\07\00\0\0\0\0\0\6\200\16\0\0\0\1\03\02\07\07\01\0\0\0\0\0\7\200\16\0\0\0\1\03\02\07\07\02\0\0\0\0\0\10\200\16\0\0\0\1\03\02\07\07\03\0\0\0\0\0\11\200\16\0\0\0\1\03\02\07\07\04\0\0\0\0\0\12\200\16\0\0\0\1\03\02\07\07\05\0\0\0\0\0\13\200\16\0\0\0\1\03\02\07\07\06\0\0\0\0\0\14\200\16\0\0\0\1\03\02\07\07\07\0\0\0\0\0\15\200\16\0\0\0\1\03\02\07\07\08\0\0\0", 348, 0x0, 0, ... {status=0x0, info=348}, ) , 348, 0x0, 0, ... {status=0x0, info=348}, ) == 0x0
 01193   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01194   316   NtWriteFile  (164, 0, 0, 0,  (164, 0, 0, 0, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 164, 0x0, 0, ... {status=0x0, info=164}, ) , 164, 0x0, 0, ... {status=0x0, info=164}, ) == 0x0
 01195   316   NtClose  (164, ... ) == 0x0
 01196   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01197   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01198   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01199   316   NtSetInformationFile  (164, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01200   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01201   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01202   316   NtReadFile  (164, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (164, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\4\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0\2012\204\301\205\5\320\21\262\220\0\252\0<\366v\12\0\0\0\0\0\4\200\16\0\0\0\1\03\02\07\06\09\0\0\0\0\0\5\200\16\0\0\0\1\03\02\07\07\00\0\0\0\0\0\6\200\16\0\0\0\1\03\02\07\07\01\0\0\0\0\0\7\200\16\0\0\0\1\03\02\07\07\02\0\0\0\0\0\10\200\16\0\0\0\1\03\02\07\07\03\0\0\0\0\0\11\200\16\0\0\0\1\03\02\07\07\04\0\0\0\0\0\12\200\16\0\0\0\1\03\02\07\07\05\0\0\0\0\0\13\200\16\0\0\0\1\03\02\07\07\06\0\0\0\0\0\14\200\16\0\0\0\1\03\02\07\07\07\0\0\0\0\0\15\200\16\0\0\0\1\03\02\07\07\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01203   316   NtClose  (164, ... ) == 0x0
 01204   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01205   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01206   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01207   316   NtSetInformationFile  (164, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01208   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01209   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01210   316   NtWriteFile  (164, 0, 0, 0,  (164, 0, 0, 0, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\7\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0\0\0\16\200\16\0\0\0\1\03\02\08\01\02\0\0\0\0\0\17\200\16\0\0\0\1\03\02\08\01\03\0\0\0\0\0\20\200\16\0\0\0\1\03\02\08\01\04\0\0\0\2012\204\301\205\5\320\21\262\220\0\252\0<\366v\12\0\0\0\0\0\4\200\16\0\0\0\1\03\02\07\06\09\0\0\0\0\0\5\200\16\0\0\0\1\03\02\07\07\00\0\0\0\0\0\6\200\16\0\0\0\1\03\02\07\07\01\0\0\0\0\0\7\200\16\0\0\0\1\03\02\07\07\02\0\0\0\0\0\10\200\16\0\0\0\1\03\02\07\07\03\0\0\0\0\0\11\200\16\0\0\0\1\03\02\07\07\04\0\0\0\0\0\12\200\16\0\0\0\1\03\02\07\07\05\0\0\0\0\0\13\200\16\0\0\0\1\03\02\07\07\06\0\0\0\0\0\14\200\16\0\0\0\1\03\02\07\07\07\0\0\0\0\0\15\200\16\0\0\0\1\03\02\07\07\08\0\0\0", 414, 0x0, 0, ... {status=0x0, info=414}, ) , 414, 0x0, 0, ... {status=0x0, info=414}, ) == 0x0
 01211   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01212   316   NtWriteFile  (164, 0, 0, 0,  (164, 0, 0, 0, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\236\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 164, 0x0, 0, ... {status=0x0, info=164}, ) , 164, 0x0, 0, ... {status=0x0, info=164}, ) == 0x0
 01213   316   NtClose  (164, ... ) == 0x0
 01214   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01215   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01216   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01217   316   NtSetInformationFile  (164, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01218   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\236\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01219   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01220   316   NtReadFile  (164, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (164, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\7\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0\0\0\16\200\16\0\0\0\1\03\02\08\01\02\0\0\0\0\0\17\200\16\0\0\0\1\03\02\08\01\03\0\0\0\0\0\20\200\16\0\0\0\1\03\02\08\01\04\0\0\0\2012\204\301\205\5\320\21\262\220\0\252\0<\366v\12\0\0\0\0\0\4\200\16\0\0\0\1\03\02\07\06\09\0\0\0\0\0\5\200\16\0\0\0\1\03\02\07\07\00\0\0\0\0\0\6\200\16\0\0\0\1\03\02\07\07\01\0\0\0\0\0\7\200\16\0\0\0\1\03\02\07\07\02\0\0\0\0\0\10\200\16\0\0\0\1\03\02\07\07\03\0\0\0\0\0\11\200\16\0\0\0\1\03\02\07\07\04\0\0\0\0\0\12\200\16\0\0\0\1\03\02\07\07\05\0\0\0\0\0\13\200\16\0\0\0\1\03\02\07\07\06\0\0\0\0\0\14\200\16\0\0\0\1\03\02\07\07\07\0\0\0\0\0\15\200\16\0\0\0\1\03\02\07\07\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01221   316   NtClose  (164, ... ) == 0x0
 01222   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01223   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01224   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267184,  (0xc0100080, {24, 0, 0x40, 0, 15267184, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01225   316   NtSetInformationFile  (164, 15268544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01226   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\236\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01227   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01228   316   NtWriteFile  (164, 0, 0, 0,  (164, 0, 0, 0, "\4 \6\0\0\0\0\0\300\0\0\0\0\0\0F\10\0\0\0\0\0\0\200\16\0\0\0\1\03\02\08\05\04\0\0\0\0\0\1\200\16\0\0\0\1\03\02\08\05\05\0\0\0\0\0\2\200\16\0\0\0\1\03\02\08\05\06\0\0\0\0\0\3\200\16\0\0\0\1\03\02\08\05\07\0\0\0\0\0\16\200\16\0\0\0\1\03\02\08\01\02\0\0\0\0\0\17\200\16\0\0\0\1\03\02\08\01\03\0\0\0\0\0\20\200\16\0\0\0\1\03\02\08\01\04\0\0\0\0\0\21\200\16\0\0\0\1\03\02\08\00\02\0\0\0\2012\204\301\205\5\320\21\262\220\0\252\0<\366v\12\0\0\0\0\0\4\200\16\0\0\0\1\03\02\07\06\09\0\0\0\0\0\5\200\16\0\0\0\1\03\02\07\07\00\0\0\0\0\0\6\200\16\0\0\0\1\03\02\07\07\01\0\0\0\0\0\7\200\16\0\0\0\1\03\02\07\07\02\0\0\0\0\0\10\200\16\0\0\0\1\03\02\07\07\03\0\0\0\0\0\11\200\16\0\0\0\1\03\02\07\07\04\0\0\0\0\0\12\200\16\0\0\0\1\03\02\07\07\05\0\0\0\0\0\13\200\16\0\0\0\1\03\02\07\07\06\0\0\0\0\0\14\200\16\0\0\0\1\03\02\07\07\07\0\0\0\0\0\15\200\16\0\0\0\1\03\02\07\07\08\0\0\0", 436, 0x0, 0, ... {status=0x0, info=436}, ) , 436, 0x0, 0, ... {status=0x0, info=436}, ) == 0x0
 01229   316   NtSetInformationFile  (164, 15268572, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01230   316   NtWriteFile  (164, 0, 0, 0,  (164, 0, 0, 0, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\264\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 164, 0x0, 0, ... {status=0x0, info=164}, ) , 164, 0x0, 0, ... {status=0x0, info=164}, ) == 0x0
 01231   316   NtClose  (164, ... ) == 0x0
 01232   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01233   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 01234   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15267088,  (0xc0100080, {24, 0, 0x40, 0, 15267088, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01235   316   NtQueryInformationFile  (164, 15268464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01236   316   NtSetInformationFile  (164, 15268448, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01237   316   NtReadFile  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (164, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\264\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01238   316   NtSetInformationFile  (164, 15268504, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01239   316   NtClose  (164, ... ) == 0x0
 01240   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01241   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 15265204, ... ) }, 15265204, ... ) == 0x0
 01242   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01243   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 164, ... 168, ) == 0x0
 01244   316   NtClose  (164, ... ) == 0x0
 01245   316   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x6f30000), 0x0, 262144, ) == 0x0
 01246   316   NtClose  (168, ... ) == 0x0
 01247   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 01248   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01249   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01250   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01251   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 168, {status=0x0, info=0}, ) }, 7, 16, ... 168, {status=0x0, info=0}, ) == 0x0
 01252   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272 L!\322\221\236\226e\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01253   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01254   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01255   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01256   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01257   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01258   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01259   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01260   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01261   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "J\307\200L\357l\227cPJn'\4@#\226\7E8\3\315\32\374\25\22\325\277\232\324\251\342\261p\313\321\23\336\332\23\252'\250f\2062\311\370\333\243\334e\361R\234]1\4\305\365\227f\232:\323^G\13v\26&\222t\312\334\326p|!\220\263", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "J\307\200L\357l\227cPJn'\4@#\226\7E8\3\315\32\374\25\22\325\277\232\324\251\342\261p\313\321\23\336\332\23\252'\250f\2062\311\370\333\243\334e\361R\234]1\4\305\365\227f\232:\323^G\13v\26&\222t\312\334\326p|!\220\263", 80, ... ) , 80, ... ) == 0x0
 01262   316   NtClose  (-2147482020, ... ) == 0x0
 01252   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "G\356\348\5u6!G\3`\35\34\247\25\203\370D\260S\330\247\237\14\363\203PLr31\362\7\177\373&[\373\374s\246\231qc\261\204\371oA\270\36611\350\312!\17\32\310\262:\361^\352\246\34\235\177i\377\306\37\352|G\232\225M_\345\325\11E\3672\213\220\233\345\266\310\212\5\316\370\305\202x&i5\226\333\271\217G\343\307`E\321\354\316|\270\372&\336\234B\377\360\260}\27\331\335qG\312\22\205\320%\320\335\10\227\5\260]\236W\340v\216a\324\25K\270\307\210\270\3726Cie\266\357a(\220nH\242\223\0Z\3058k\335R:\270\200\243\304\264x\2547\271J\272c\204\243\364\354\216\11-\351\367!\7\215\347\373vo\243\217mc\332\244=\L\213\360Hd\304\321\304\244\313\21\343\344\310\2\367\202\224\366nib\\234\342\340_\356\255\360g\225\35Z&\35-7)\214\11\337,\207", ) , ) == 0x0
 01263   316   NtUserRegisterClassExWOW  (15267288, 15267368, 15267352, 15267384, 0, 384, 0, ... ) == 0x810ec038
 01264   316   NtUserGetAtomName  (49208, 15266052, ... ) == 0x15
 01265   316   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 01266   316   NtUserMessageCall  (0x100c6, WM_NCCREATE, 0x0, 0xe8f0b0, 0, 670, 0, ... ) == 0x1
 01267   316   NtUserMessageCall  (0x100c6, WM_NCCALCSIZE, 0x0, 0xe8f0d8, 0, 670, 0, ... ) == 0x0
 01268   316   NtUserSetProp  (65734, 43288, -1, ... ) == 0x1
 01265   316   NtUserCreateWindowEx  ... ) == 0x100c6
 01269   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\115f\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01270   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01271   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01272   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01273   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01274   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01275   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01276   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01277   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01278   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "z\365%r\241\363X\255\276\300ol\6B\342\354\10\233\211\334gv=\366\227\336ZR\266#u\356k\364\351\334\364\232oQ\34\254}D\315EC\361\301h\257c\203R \201X\256\204\336]\340\274@\350\6r\335\2306\350\252f\267X\346\374\301g\202", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "z\365%r\241\363X\255\276\300ol\6B\342\354\10\233\211\334gv=\366\227\336ZR\266#u\356k\364\351\334\364\232oQ\34\254}D\315EC\361\301h\257c\203R \201X\256\204\336]\340\274@\350\6r\335\2306\350\252f\267X\346\374\301g\202", 80, ... ) , 80, ... ) == 0x0
 01279   316   NtClose  (-2147482020, ... ) == 0x0
 01269   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\201B\247\350\317f\216b\15F\33=\261\362`\3622\222\266N\317\169\315\276\311F\224\274x{\6\237\213K\317\211\10$?\336xH\371C\241\346\307\16\357|\202\227\356\246\203\275\11\375\333\314L!\247\10/\332\323\23JM`\3252M\361x, ) , ) == 0x0
 01280   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\11\212\33\11A\212\304\217|\365\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01281   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01282   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01283   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01284   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01285   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01286   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01287   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01288   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01289   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\277\361\331\12\323\271\320p\26Z\371\310\22\212.Vz\11\333\15\261\221*\311\211<1\213\227\243\203\327V\251\234K>\231\200\242\347qraN\271\232\272\244\276\360h\36\201\334\343\301rg-\300\21\306\227U\311\202\332\301\202\224u\314\3\255\264O\244\207\364", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\277\361\331\12\323\271\320p\26Z\371\310\22\212.Vz\11\333\15\261\221*\311\211<1\213\227\243\203\327V\251\234K>\231\200\242\347qraN\271\232\272\244\276\360h\36\201\334\343\301rg-\300\21\306\227U\311\202\332\301\202\224u\314\3\255\264O\244\207\364", 80, ... ) , 80, ... ) == 0x0
 01290   316   NtClose  (-2147482020, ... ) == 0x0
 01280   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "l\265\330\325\274\36>\265\2222\223\252\333\2722\224D\302\24\371\325yJ\214q\206\203\355\334\15\246m/\2156{\336\341\357\21\6<\11\266?\322\375$+\214T\17\365ZvEY\322\203+P\217\200r\22\315\257,q\177\200*\262\251\206(\346$!M\3w\313E\221c\0\360\350\234\1,\232\27\256\17\215'6\350$\220\3\365h\247\206Oa\212\215)\265\270TAJ\361,%x\2664\320\211\264T;+\31}\260#\274\304", ) \3\365h\247\206Oa\212\215)\265\270TAJ\361,%x\2664\320\211\264T;+\31}\260#\274\304", ) == 0x0
 01291   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\11\212\33\11A\212\304\217\303\210\11A\212\304\217|\365\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01292   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01293   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01294   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01295   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01296   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01297   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01298   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01299   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01300   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "T_@\362\360>\276]\2328\244\46\277\224\246\30`\276\23_IX\340.H\256\245\347\207\366\307\231\302\262\371t\337[.\204\272\370\222\247\372:`\274!y\270\27\243\241\376\235w\4\244\320\235\4\213\336VC,\215d\14\335~\343(\363-\221\215", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "T_@\362\360>\276]\2328\244\46\277\224\246\30`\276\23_IX\340.H\256\245\347\207\366\307\231\302\262\371t\337[.\204\272\370\222\247\372:`\274!y\270\27\243\241\376\235w\4\244\320\235\4\213\336VC,\215d\14\335~\343(\363-\221\215", 80, ... ) , 80, ... ) == 0x0
 01301   316   NtClose  (-2147482020, ... ) == 0x0
 01291   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\350\352Y\57\200$\206C[\204\277\4\200\330\205\315pl\11@\26(\346\310\242\323\20\233H\201\215&T\266W\310\27\216\367m\227\216\265\15z\226\222I"f9w\324\350\350D\376\373\4J\17\375\10\301/\350\370\20>\21P\213\232\312\267\17\323\255\203wO\23\376Eu\7=\220\11\35\25\330\222?f\364roy\0\210s\357N\242\5\322\7\334\232\2478\323i?\240l\220\355\276|\370Gq>\31\207p`U|G2Xi\221\342T\236\10\207j$\372;\266\200w%a\5\275\325\263F\260\315\227\373\211\344\204J\205\250\226\330\227\236\221\354L\237y)\276\277yV\244w\306\320'\315b\365\321>\216\233\241\337\216-\5&u\300Sz\226\317\14R`[r\261\34\266\320m\320Gjmxz\12\246(\12\247\325\236\324S\274\213z\376\232K\3779t\351d\357\205B\201\340\352\237\11\354\344m\266\315\376\306", ) f9w\324\350\350D\376\373\4J\17\375\10\301/\350\370\20>\21P\213\232\312\267\17\323\255\203wO\23\376Eu\7=\220\11\35\25\330\222?f\364roy\0\210s\357N\242\5\322\7\334\232\2478\323i?\240l\220\355\276|\370Gq>\31\207p`U|G2Xi\221\342T\236\10\207j$\372;\266\200w%a\5\275\325\263F\260\315\227\373\211\344\204J\205\250\226\330\227\236\221\354L\237y)\276\277yV\244w\306\320'\315b\365\321>\216\233\241\337\216-\5&u\300Sz\226\317\14R`[r\261\34\266\320m\320Gjmxz\12\246(\12\247\325\236\324S\274\213z\376\232K\3779t\351d\357\205B\201\340\352\237\11\354\344m\266\315\376\306", ) == 0x0
 01302   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\11\212\33\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217|\365\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01303   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01304   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01305   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01306   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01307   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01308   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01309   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01310   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01311   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "B\23\25\23\375\327\13\34\15\204\220w\331\344\206u\30\274\223\2\220\354\375\227\315`\16\20348;L\35X\320\260/\320\211\300\302\260\17\32\357\3302e\227\2176\251\242\306\241g\225\240\2001-@\344\2139q\377\353n;i\225\204S\177\221\6\306k\226", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "B\23\25\23\375\327\13\34\15\204\220w\331\344\206u\30\274\223\2\220\354\375\227\315`\16\20348;L\35X\320\260/\320\211\300\302\260\17\32\357\3302e\227\2176\251\242\306\241g\225\240\2001-@\344\2139q\377\353n;i\225\204S\177\221\6\306k\226", 80, ... ) , 80, ... ) == 0x0
 01312   316   NtClose  (-2147482020, ... ) == 0x0
 01302   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "q\3036\326\363\322\262\264V\265\242\356U\212'\352P(\225s\373B\262\335\262\313^%\334\3736\25\0\376\371\201\240\362\325\37AE$\271\320\363@\3052\335\226\231\220\2028I\340\260\206\11Q\27\302G/4\274\233\337\34(t\274\315\264\231FN\306\273\24\36\5\262=\266OT\10\254R\312&\2762\343KD\366\33\351Ww\3503{\345t^\343\312\332\322r"C\27\325\256 ,\205\200\310\215\377M\13\37\346\240\26\15N\335r\215d\206\211WMgmq3\213\256\225\357>\350\267\323ju\207\233k/\3\333\335H\11\3632,\25T\263k\216\20\352!r\222\2412AS^]a\271/z\32?\212=\263X%\2616tXgM\15\250\34\367\220[\341\254\317-\34y\343o\373K\246\256\4)\230\253u\2\304Vd\222M\30G\357xKt\251\10Sh\322\377\246\300\244\220\300\178\326\3460\361\32\23", ) C\27\325\256 ,\205\200\310\215\377M\13\37\346\240\26\15N\335r\215d\206\211WMgmq3\213\256\225\357>\350\267\323ju\207\233k/\3\333\335H\11\3632,\25T\263k\216\20\352!r\222\2412AS^]a\271/z\32?\212=\263X%\2616tXgM\15\250\34\367\220[\341\254\317-\34y\343o\373K\246\256\4)\230\253u\2\304Vd\222M\30G\357xKt\251\10Sh\322\377\246\300\244\220\300\178\326\3460\361\32\23", ) == 0x0
 01313   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\11\212\33\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217|\365\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01314   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01315   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01316   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01317   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01318   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01319   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01320   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01321   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01322   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\210\201}u\275%Y\325k\222h\300\233\277\321\346\27\342.t\2657\5@g?\216\4\10\32\265\345\17[\346\301c\266\3174\300]\344X\251\0K\205\21\2573\273\354\345\217\340\321\342:\326r\343\236\200?\273\15\3048\7#d\11\356\313!\344G\374", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\210\201}u\275%Y\325k\222h\300\233\277\321\346\27\342.t\2657\5@g?\216\4\10\32\265\345\17[\346\301c\266\3174\300]\344X\251\0K\205\21\2573\273\354\345\217\340\321\342:\326r\343\236\200?\273\15\3048\7#d\11\356\313!\344G\374", 80, ... ) , 80, ... ) == 0x0
 01323   316   NtClose  (-2147482020, ... ) == 0x0
 01313   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, " o\370\376\351\242\14\371\213\202J\35\\3573\244!\200\227\316\305z\321Q\25\352H~\12\342(\354\340\237\27\377o\0Tf\267\216\371\306J\11\241\25f\2\270\241\326\271r\11\341\262+0\332\340J\205\322\340n+\\323\53\330}!\207NoM\3048L\330N\240>\361\306\364MrJb\301]\376tg\253\343\262.^\374\240\235\177\13\332\230\12\303qG;\351\20\326\345\324\3535\373\277\316\324\360\221t\224*\321h\224\217d?\21;\24\267", ) , ) == 0x0
 01324   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\11\212\33\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217|\365\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01325   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01326   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01327   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01328   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01329   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01330   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01331   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01332   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01333   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "|D\333\241{\316\352\250\206\257\314\237\13\251\371\177\0N\47]j\274,\220\3234\2702;\232\345\30F\310\1\22\273\221\242\357\4\276\234\14\371\312?\362&~\305\252\306\2aY\267\220\254\346\323\205\364\315\310\16&1|\16v*\341{\16\16\230\27k", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "|D\333\241{\316\352\250\206\257\314\237\13\251\371\177\0N\47]j\274,\220\3234\2702;\232\345\30F\310\1\22\273\221\242\357\4\276\234\14\371\312?\362&~\305\252\306\2aY\267\220\254\346\323\205\364\315\310\16&1|\16v*\341{\16\16\230\27k", 80, ... ) , 80, ... ) == 0x0
 01334   316   NtClose  (-2147482020, ... ) == 0x0
 01324   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\213a8\351\252\234\212\253\27\27\205\226\237\257\363RI+\250\276.\201gH\206'(\341(=>\333}\306\364\212\312Xu\25\374\244\25w%V\366*\351\305\307 6\204\222"\302\257\220\200\211\254\340\372\222[~vO\234\203\22\237\271\7\\212C~\7\334W\337\1)E\346\347\7\355+\16\350;T\312\266\37\2\210\302l\334\315ZB\262^8[\262\370\373WS:\210d[\237\344\340!H\354m\270\303\320\216!\4\3~H\305X|I\217Zq/\376302\257\220\200\211\254\340\372\222[~vO\234\203\22\237\271\7\\212C~\7\334W\337\1)E\346\347\7\355+\16\350;T\312\266\37\2\210\302l\334\315ZB\262^8[\262\370\373WS:\210d[\237\344\340!H\354m\270\303\320\216!\4\3~H\305X|I\217Zq/\376334\221\37\3271|{\235\263.\217\350\337a\255$\256\23v\321+\3363\10\366ta\2100J3\373\236\247\264y\253_\301=C$\352\10\221~\303\361#\260T\205{\32YJ\262f\355/]\230*\360\232\272\2045\341\250\360S8\253\25\3713\243\7\372`\362t\332\225\34\3367I\306\311\\343\256\201\36\311\213\17\4\25\25Xr\27\21", ) == 0x0
 01335   316   NtDeviceIoControlFile  (168, 0, 0x0, 0x0, 0x390008,  (168, 0, 0x0, 0x0, 0x390008, "2\0p\210EC\272\2371\265\276v\265\11\212\33\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217\303\210\11A\212\304\217|\365\235-m\357\20,@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01336   316   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01337   316   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01338   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01339   316   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01340   316   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01341   316   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01342   316   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01343   316   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01344   316   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\264\214\250\48+\311\232 \316\7B~\311H\231\233\20\206L+\250oiH\235\316\30\330`\332\227\3643\346\32\224\200\22Q\220N\317\353\357\233\366{\237\11\332\343\205\232\205\204\323\227w\264\361\377\217\255\336'\225?\251h\22_(\247V\205\266g\13[", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\264\214\250\48+\311\232 \316\7B~\311H\231\233\20\206L+\250oiH\235\316\30\330`\332\227\3643\346\32\224\200\22Q\220N\317\353\357\233\366{\237\11\332\343\205\232\205\204\323\227w\264\361\377\217\255\336'\225?\251h\22_(\247V\205\266g\13[", 80, ... ) , 80, ... ) == 0x0
 01345   316   NtClose  (-2147482020, ... ) == 0x0
 01335   316   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\207\25\245\30\371Z\35\203\301\241\233\201\361\303\16O\2601f\360\315Q4>D\362\313\324\212V\2212\323\337\267Nb\177\31\223\366\33:\221M\234\316\22"s\271\34\22\277%\353\364z\230\377\264\215-\347O\224\214\374\346>\3\262w\377\204#\310\3107\3775\315\2703}\30+L\305\365\271>\7\302\36gO\275d\305\201\306M\324\13\340\340\330\2522\34\236\320\201\334\300+\330\31\236\372X2\366p\262\224\267p\232\\K\230\350\32\247\320\260+\233\230\7y\255ScPo\353&a2`_X\203T\316\256\353\212\312\214\177?\2726!\216\335\252\361M\313\14q\263\223\31\26\6\374\4Z\347\321\252\223\371\215\363U\363\27\316k\31g", ) s\271\34\22\277%\353\364z\230\377\264\215-\347O\224\214\374\346>\3\262w\377\204#\310\3107\3775\315\2703}\30+L\305\365\271>\7\302\36gO\275d\305\201\306M\324256\243\256,\355\360C\244\36ya\274i\366\312\25k0\12\364=\253\26\203\223\360\320(D\10\234\35\260\222\214`\371\343\251v\22\343#\15)\262U\23\347\31\322R>\13\340\340\330\2522\34\236\320\201\334\300+\330\31\236\372X2\366p\262\224\267p\232\\K\230\350\32\247\320\260+\233\230\7y\255ScPo\353&a2`_X\203T\316\256\353\212\312\214\177?\2726!\216\335\252\361M\313\14q\263\223\31\26\6\374\4Z\347\321\252\223\371\215\363U\363\27\316k\31g", ) == 0x0
 01346   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 164, ) }, ... 164, ) == 0x0
 01347   316   NtQueryValueKey  (164,  (164, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01348   316   NtClose  (164, ... ) == 0x0
 01349   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 15265000, ... ) }, 15265000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "CLBCATQ.DLL"}, 15265000, ... ) }, 15265000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 15265000, ... ) }, 15265000, ... ) == 0x0
 01353   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01354   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 172, ) == 0x0
 01355   316   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01356   316   NtClose  (164, ... ) == 0x0
 01357   316   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 01358   316   NtClose  (172, ... ) == 0x0
 01359   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01360   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 15264196, ... ) }, 15264196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "COMRes.dll"}, 15264196, ... ) }, 15264196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 15264196, ... ) }, 15264196, ... ) == 0x0
 01363   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01364   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 164, ) == 0x0
 01365   316   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01366   316   NtClose  (172, ... ) == 0x0
 01367   316   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 01368   316   NtClose  (164, ... ) == 0x0
 01369   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 164, ) }, ... 164, ) == 0x0
 01370   316   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01371   316   NtClose  (164, ... ) == 0x0
 01372   316   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 164, ) }, ... 164, ) == 0x0
 01375   316   NtQueryValueKey  (164,  (164, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   316   NtQueryValueKey  (164,  (164, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   316   NtClose  (164, ... ) == 0x0
 01378   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 15265028, ... ) }, 15265028, ... ) == 0x0
 01379   316   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   316   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01381   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 164, ) }, ... 164, ) == 0x0
 01382   316   NtQueryValueKey  (164,  (164, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01383   316   NtClose  (164, ... ) == 0x0
 01384   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 164, ) }, ... 164, ) == 0x0
 01385   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01386   316   NtNotifyChangeKey  (164, 172, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01387   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 176, ) }, ... 176, ) == 0x0
 01388   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01389   316   NtNotifyChangeKey  (176, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01390   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01391   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 188, ) }, ... 188, ) == 0x0
 01392   316   NtSetInformationObject  (188, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01393   316   NtNotifyChangeKey  (188, 184, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01394   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 192, ) }, ... 192, ) == 0x0
 01395   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01396   316   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01397   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01398   316   NtNotifyChangeKey  (188, 200, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01399   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 204, ) }, ... 204, ) == 0x0
 01400   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01401   316   NtNotifyChangeKey  (204, 208, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01402   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 01403   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 01404   316   NtNotifyChangeKey  (212, 216, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01405   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 220, ) }, ... 220, ) == 0x0
 01406   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01407   316   NtNotifyChangeKey  (220, 224, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01408   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 228, ) }, ... 228, ) == 0x0
 01409   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01410   316   NtNotifyChangeKey  (228, 232, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01411   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0
 01412   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01413   316   NtNotifyChangeKey  (236, 240, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01414   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01415   316   NtNotifyChangeKey  (188, 244, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01416   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 248, ) }, ... 248, ) == 0x0
 01417   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 01418   316   NtNotifyChangeKey  (248, 252, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01419   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0
 01420   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01421   316   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01422   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 264, ) }, ... 264, ) == 0x0
 01423   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0
 01424   316   NtNotifyChangeKey  (264, 268, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 01425   316   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 272, ) }, ... 272, ) == 0x0
 01427   316   NtQueryValueKey  (272,  (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (272, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01428   316   NtClose  (272, ... ) == 0x0
 01429   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01430   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01431   316   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 272, ) }, ... 272, ) == 0x0
 01432   316   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3d0000), {0, 0}, 24576, ) == 0x0
 01433   316   NtAllocateVirtualMemory  (-1, 1200128, 0, 8192, 4096, 4, ... 1200128, 8192, ) == 0x0
 01434   316   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 276, ) }, ... 276, ) == 0x0
 01436   316   NtQueryValueKey  (276,  (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (276, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01437   316   NtClose  (276, ... ) == 0x0
 01438   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01439   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01440   316   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 4128768, 65536, ) == 0x0
 01441   316   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 01442   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01443   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01444   316   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01445   316   NtClose  (276, ... ) == 0x0
 01446   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 276, ) }, ... 276, ) == 0x0
 01447   316   NtSetInformationObject  (278, Handle, {Inherit=0,ProtectFromClose=1,}, 15204608, ... ) == 0x0
 01448   316   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01449   316   NtOpenKey  (0x20019, {24, 278, 0x40, 0, 0,  (0x20019, {24, 278, 0x40, 0, 0, "CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... 280, ) }, ... 280, ) == 0x0
 01451   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}2"}, 162, ) }, 162, ) == 0x0
 01452   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01453   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01454   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01455   316   NtClose  (284, ... ) == 0x0
 01456   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   316   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01458   316   NtClose  (282, ... ) == 0x0
 01459   316   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01460   316   NtOpenKey  (0x20019, {24, 278, 0x40, 0, 0,  (0x20019, {24, 278, 0x40, 0, 0, "CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... 280, ) }, ... 280, ) == 0x0
 01462   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}2"}, 162, ) }, 162, ) == 0x0
 01463   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01464   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01465   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01466   316   NtClose  (284, ... ) == 0x0
 01467   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01469   316   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01470   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01471   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01472   316   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01473   316   NtClose  (288, ... ) == 0x0
 01474   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   316   NtQueryValueKey  (286,  (286, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   316   NtClose  (286, ... ) == 0x0
 01477   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01478   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01479   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01480   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01481   316   NtClose  (284, ... ) == 0x0
 01482   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01485   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01486   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01487   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01488   316   NtClose  (284, ... ) == 0x0
 01489   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01492   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01493   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01494   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01495   316   NtClose  (284, ... ) == 0x0
 01496   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01498   316   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01499   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01500   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01501   316   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01502   316   NtClose  (288, ... ) == 0x0
 01503   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   316   NtQueryValueKey  (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (286, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0i\0d\0e\0n\0t\0.\0d\0l\0l\0\0\0"}, 76, ) }, 76, ) == 0x0
 01505   316   NtClose  (286, ... ) == 0x0
 01506   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01507   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01508   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01509   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01510   316   NtClose  (284, ... ) == 0x0
 01511   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01514   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01515   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01516   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01517   316   NtClose  (284, ... ) == 0x0
 01518   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01520   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01521   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01522   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01523   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01524   316   NtClose  (284, ... ) == 0x0
 01525   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}_"}, 162, ) }, 162, ) == 0x0
 01528   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01529   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01530   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01531   316   NtClose  (284, ... ) == 0x0
 01532   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   316   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01535   316   NtOpenKey  (0x20019, {24, 278, 0x40, 0, 0,  (0x20019, {24, 278, 0x40, 0, 0, "CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... 284, ) }, ... 284, ) == 0x0
 01537   316   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}2"}, 162, ) }, 162, ) == 0x0
 01538   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01539   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01540   316   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01541   316   NtClose  (288, ... ) == 0x0
 01542   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   316   NtQueryValueKey  (286,  (286, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   316   NtClose  (286, ... ) == 0x0
 01545   316   NtClose  (282, ... ) == 0x0
 01546   316   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {312, 0}, ... 280, ) == 0x0
 01547   316   NtQueryInformationProcess  (280, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01548   316   NtClose  (280, ... ) == 0x0
 01549   316   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01550   316   NtOpenKey  (0x20019, {24, 278, 0x40, 0, 0,  (0x20019, {24, 278, 0x40, 0, 0, "CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... 280, ) }, ... 280, ) == 0x0
 01552   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}2"}, 162, ) }, 162, ) == 0x0
 01553   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01554   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01555   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01556   316   NtClose  (284, ... ) == 0x0
 01557   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558   316   NtOpenKey  (0x2000000, {24, 282, 0x40, 0, 0,  (0x2000000, {24, 282, 0x40, 0, 0, "InprocServer32"}, ... 284, ) }, ... 284, ) == 0x0
 01559   316   NtQueryKey  (286, Name, 392, ... {Name= (286, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01560   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01561   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01562   316   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01563   316   NtClose  (288, ... ) == 0x0
 01564   316   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   316   NtQueryValueKey  (286,  (286, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0o\0t\0h\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (286, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0o\0t\0h\0\0\0"}, 22, ) }, 22, ) == 0x0
 01566   316   NtClose  (286, ... ) == 0x0
 01567   316   NtClose  (282, ... ) == 0x0
 01568   316   NtQueryKey  (278, Name, 384, ... {Name= (278, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01569   316   NtOpenKey  (0x20019, {24, 278, 0x40, 0, 0,  (0x20019, {24, 278, 0x40, 0, 0, "CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{A9AE6C91-1D1B-11D2-B21A-00C04FA357FA}"}, ... 280, ) }, ... 280, ) == 0x0
 01571   316   NtQueryKey  (282, Name, 384, ... {Name= (282, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}2"}, 162, ) }, 162, ) == 0x0
 01572   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01573   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 284, ) == 0x0
 01574   316   NtQueryInformationToken  (284, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01575   316   NtClose  (284, ... ) == 0x0
 01576   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{a9ae6c91-1d1b-11d2-b21a-00c04fa357fa}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   316   NtOpenKey  (0x1, {24, 282, 0x40, 0, 0,  (0x1, {24, 282, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   316   NtClose  (282, ... ) == 0x0
 01579   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll"}, 15261420, ... ) }, 15261420, ... ) == 0x0
 01580   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01581   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 280, ... 284, ) == 0x0
 01582   316   NtClose  (280, ... ) == 0x0
 01583   316   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x6f30000), 0x0, 45056, ) == 0x0
 01584   316   NtClose  (284, ... ) == 0x0
 01585   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 01586   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll"}, 15261736, ... ) }, 15261736, ... ) == 0x0
 01587   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01588   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 280, ) == 0x0
 01589   316   NtQuerySection  (280, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01590   316   NtClose  (284, ... ) == 0x0
 01591   316   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x608a0000), 0x0, 53248, ) == 0x0
 01592   316   NtClose  (280, ... ) == 0x0
 01593   316   NtUserRegisterWindowMessage  ( ("WM_IDENTITY_CHANGED", ... ) , ... ) == 0xc0cc
 01594   316   NtUserRegisterWindowMessage  ( ("WM_QUERY_IDENTITY_CHANGE", ... ) , ... ) == 0xc0cd
 01595   316   NtUserRegisterWindowMessage  ( ("WM_IDENTITY_INFO_CHANGED", ... ) , ... ) == 0xc0ce
 01596   316   NtQueryDefaultUILanguage  (15259996, ...
 01597   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01598   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01599   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01600   316   NtClose  (-2147482020, ... ) == 0x0
 01601   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01602   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01604   316   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   316   NtClose  (-2147482032, ... ) == 0x0
 01606   316   NtClose  (-2147482020, ... ) == 0x0
 01596   316   NtQueryDefaultUILanguage  ... ) == 0x0
 01607   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll"}, 1, 96, ... 280, {status=0x0, info=1}, ) }, 1, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01609   316   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 280, ... 284, ) == 0x0
 01610   316   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x6f30000), 0x0, 45056, ) == 0x0
 01611   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   316   NtAllocateVirtualMemory  (-1, 15249408, 0, 4096, 4096, 260, ... 15249408, 4096, ) == 0x0
 01613   316   NtQueryDefaultLocale  (1, 15258032, ... ) == 0x0
 01614   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msident.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   316   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 15258888, 1, 96, 0}  (24, {128, 156, new_msg, 0, 15258888, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\330\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\220\221\363\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\334\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1531, 0} " S\26\0\33\0\1\0\0\0\0\0\1\330\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\220\221\363\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\334\350\0\0\0\0\0" )  ... {128, 156, reply, 0, 312, 316, 1531, 0}  (24, {128, 156, new_msg, 0, 15258888, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\330\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\220\221\363\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\334\350\0\0\0\0\0" ... {128, 156, reply, 0, 312, 316, 1531, 0} " S\26\0\33\0\1\0\0\0\0\0\1\330\350\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\30\1\0\0\377\377\377\377\0\0\0\0\220\221\363\6\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\334\350\0\0\0\0\0" )  ) == 0x0
 01616   316   NtClose  (280, ... ) == 0x0
 01617   316   NtClose  (284, ... ) == 0x0
 01618   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 01619   316   NtUnmapViewOfSection  (-1, 0xe8dc08, ... ) == STATUS_NOT_MAPPED_VIEW
 01620   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01621   316   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01623   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01624   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 15257116, ... ) }, 15257116, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01625   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01626   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01627   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01628   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 15257708, ... ) }, 15257708, ... ) == 0x0
 01629   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 284, {status=0x0, info=1}, ) }, 3, 33, ... 284, {status=0x0, info=1}, ) == 0x0
 01630   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01631   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01632   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01633   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHLWAPI.dll"}, 15260308, ... ) }, 15260308, ... ) == 0x0
 01634   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHLWAPI.dll"}, 15259120, ... ) }, 15259120, ... ) == 0x0
 01635   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01636   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01637   316   NtQueryDefaultLocale  (1, 15261172, ... ) == 0x0
 01638   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01639   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01640   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHLWAPI.dll"}, 15260292, ... ) }, 15260292, ... ) == 0x0
 01641   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHLWAPI.dll"}, 15259104, ... ) }, 15259104, ... ) == 0x0
 01642   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01643   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01644   316   NtQueryDefaultLocale  (1, 15261156, ... ) == 0x0
 01645   316   NtQueryDefaultUILanguage  (15259844, ...
 01646   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01647   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01648   316   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01649   316   NtClose  (-2147482020, ... ) == 0x0
 01650   316   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01651   316   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   316   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01653   316   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01654   316   NtClose  (-2147482032, ... ) == 0x0
 01655   316   NtClose  (-2147482020, ... ) == 0x0
 01645   316   NtQueryDefaultUILanguage  ... ) == 0x0
 01656   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msidntld.dll"}, 15257068, ... ) }, 15257068, ... ) == 0x0
 01658   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msidntld.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01659   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 280, ... 288, ) == 0x0
 01660   316   NtClose  (280, ... ) == 0x0
 01661   316   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x6f30000), 0x0, 16384, ) == 0x0
 01662   316   NtClose  (288, ... ) == 0x0
 01663   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 01664   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msidntld.dll"}, 15257384, ... ) }, 15257384, ... ) == 0x0
 01665   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\msidntld.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01666   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 280, ) == 0x0
 01667   316   NtQuerySection  (280, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01668   316   NtClose  (288, ... ) == 0x0
 01669   316   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x60890000), 0x0, 24576, ) == 0x0
 01670   316   NtClose  (280, ... ) == 0x0
 01671   316   NtCreateMutant  (0x1f0001, {24, 52, 0x82, 15313584, 0,  (0x1f0001, {24, 52, 0x82, 15313584, 0, "MSIdent Logon"}, 0, ... 280, ) }, 0, ... 280, ) == 0x0
 01672   316   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, ... 288, ) }, ... 288, ) == 0x0
 01673   316   NtDeleteValueKey  (288,  (288, "Changing", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   316   NtDeleteValueKey  (288,  (288, "IncomingID", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01675   316   NtDeleteValueKey  (288,  (288, "OutgoingID", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01676   316   NtClose  (288, ... ) == 0x0
 01677   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01678   316   NtEnumerateKey  (288, 0, Basic, 288, ... {LastWrite={0x910e9784,0x1c7399c}, TitleIdx=0, Name= (288, 0, Basic, 288, ... {LastWrite={0x910e9784,0x1c7399c}, TitleIdx=0, Name="{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, 92, ) }, 92, ) == 0x0
 01679   316   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, ... 292, ) }, ... 292, ) == 0x0
 01680   316   NtQueryValueKey  (292,  (292, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (292, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01681   316   NtQueryValueKey  (292,  (292, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (292, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01682   316   NtClose  (292, ... ) == 0x0
 01683   316   NtEnumerateKey  (288, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01684   316   NtClose  (288, ... ) == 0x0
 01685   316   NtFindAtom  ( ("I\0D\0E\0N\0T\0I\0T\0Y\0_\0L\0O\0G\0I\0N\0", 28, 15261784, ... ) , 28, 15261784, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01686   316   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Identities"}, ... 288, ) }, ... 288, ) == 0x0
 01687   316   NtQueryValueKey  (288,  (288, "Migrated5", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "Migrated5", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01688   316   NtClose  (288, ... ) == 0x0
 01689   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01690   316   NtQueryValueKey  (288,  (288, "Start As", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 292, 2, ) }, 0, 0x0, 0, ... 292, 2, ) == 0x0
 01692   316   NtQueryValueKey  (292,  (292, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (292, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01693   316   NtQueryValueKey  (292,  (292, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (292, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01694   316   NtClose  (292, ... ) == 0x0
 01695   316   NtClose  (288, ... ) == 0x0
 01696   316   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities\{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, ... 288, ) }, ... 288, ) == 0x0
 01697   316   NtQueryValueKey  (288,  (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01698   316   NtQueryValueKey  (288,  (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01699   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "PSTOREC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01700   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\PSTOREC.DLL"}, 15258856, ... ) }, 15258856, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "PSTOREC.DLL"}, 15258856, ... ) }, 15258856, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\PSTOREC.DLL"}, 15258856, ... ) }, 15258856, ... ) == 0x0
 01703   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\PSTOREC.DLL"}, 5, 96, ... 292, {status=0x0, info=1}, ) }, 5, 96, ... 292, {status=0x0, info=1}, ) == 0x0
 01704   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 292, ... 296, ) == 0x0
 01705   316   NtQuerySection  (296, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01706   316   NtClose  (292, ... ) == 0x0
 01707   316   NtMapViewOfSection  (296, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5e0c0000), 0x0, 49152, ) == 0x0
 01708   316   NtClose  (296, ... ) == 0x0
 01709   316   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 15258052, ... ) }, 15258052, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711   316   NtQueryAttributesFile  ({24, 84, 0x40, 0, 0,  ({24, 84, 0x40, 0, 0, "ATL.DLL"}, 15258052, ... ) }, 15258052, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 15258052, ... ) }, 15258052, ... ) == 0x0
 01713   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 296, {status=0x0, info=1}, ) }, 5, 96, ... 296, {status=0x0, info=1}, ) == 0x0
 01714   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 296, ... 292, ) == 0x0
 01715   316   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01716   316   NtClose  (296, ... ) == 0x0
 01717   316   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01718   316   NtClose  (292, ... ) == 0x0
 01719   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01720   316   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 116719616, 262144, ) == 0x0
 01721   316   NtAllocateVirtualMemory  (-1, 116719616, 0, 4096, 4096, 4, ... 116719616, 4096, ) == 0x0
 01722   316   NtAllocateVirtualMemory  (-1, 116723712, 0, 8192, 4096, 4, ... 116723712, 8192, ) == 0x0
 01723   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01724   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01725   316   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 292, ) }, ... 292, ) == 0x0
 01726   316   NtWaitForSingleObject  (292, 0, {-1800000000, -1}, ... ) == 0x0
 01727   316   NtClose  (292, ... ) == 0x0
 01728   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01729   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 292, ) }, ... 292, ) == 0x0
 01731   316   NtQueryValueKey  (292,  (292, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01732   316   NtClose  (292, ... ) == 0x0
 01733   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01734   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 292, ) == 0x0
 01735   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 296, ) == 0x0
 01736   316   NtQuerySystemTime  (... {1629764040, 29889260}, ) == 0x0
 01737   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01738   316   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   316   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01740   316   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01741   316   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01742   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 304, ) == 0x0
 01743   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 308, ) == 0x0
 01744   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 312, ) }, ... 312, ) == 0x0
 01745   316   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "ActiveComputerName"}, ... 316, ) }, ... 316, ) == 0x0
 01746   316   NtQueryValueKey  (316,  (316, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (316, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (316, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01747   316   NtClose  (316, ... ) == 0x0
 01748   316   NtClose  (312, ... ) == 0x0
 01749   316   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 312, ) == 0x0
 01750   316   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 316, ) == 0x0
 01751   316   NtDuplicateObject  (-1, 312, -1, 0x0, 0, 2, ... 320, ) == 0x0
 01752   316   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01753   316   NtAllocateVirtualMemory  (-1, 15360000, 0, 4096, 4096, 4, ... 15360000, 4096, ) == 0x0
 01754   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 01755   316   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01756   316   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01757   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15257748,  (0xc0100080, {24, 0, 0x40, 0, 15257748, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 01758   316   NtSetInformationFile  (328, 15257804, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01759   316   NtSetInformationFile  (328, 15257796, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01760   316   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01761   316   NtWriteFile  (328, 305, 0, 0,  (328, 305, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01762   316   NtReadFile  (328, 305, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 305, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01763   316   NtFsControlFile  (328, 305, 0x0, 0x0, 0x11c017,  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\23"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01764   316   NtFsControlFile  (328, 305, 0x0, 0x0, 0x11c017,  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\20\0\0\0\0\0\334\366\376\235\337~\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0P\0r\0o\0t\0e\0c\0t\0e\0d\0S\0t\0o\0r\0a\0g\0e\0\0\0\0\0\5\0\0\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\334\366\376\235\337~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 96, 1024, ... {status=0x103, info=48},  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\20\0\0\0\0\0\334\366\376\235\337~\334\21\261\310\0\14)\371\246\305\21\0\0\0\0\0\0\0\21\0\0\0P\0r\0o\0t\0e\0c\0t\0e\0d\0S\0t\0o\0r\0a\0g\0e\0\0\0\0\0\5\0\0\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\334\366\376\235\337~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01765   316   NtOpenProcessToken  (-1, 0x8, ... 332, ) == 0x0
 01766   316   NtQueryInformationToken  (332, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0
 01767   316   NtClose  (332, ... ) == 0x0
 01768   316   NtFsControlFile  (328, 305, 0x0, 0x0, 0x11c017,  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\35\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305\0\4\0\0", 48, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 48, 1024, ... {status=0x103, info=48},  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\35\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305\0\4\0\0", 48, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01769   316   NtFsControlFile  (328, 305, 0x0, 0x0, 0x11c017,  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=204}, "\5\0\2\3\20\0\0\0\314\0\0\0\3\0\0\0\264\0\0\0\0\0\0\0 \1\0\0\2\0\0\0\1\0\0\0H\327\350\0h\327\350\0\0\0\0\0l\327\350\0t\327\350\0\200\327\350\0\36\0\0\0\0\0\0\0\36\0\0\0C:\WINDOWS\system32\lsass.exe\0N\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0S\0\7\0\0\0\0\0\0\0\7\0\0\0RpcSs/\0\0\14\0\0\0\0\0\0\0\14\0\0\0LocalSystem\0\22\0\0\0\0\0\0\0\22\0\0\0Protected Storage\0\0\0\274\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=204},  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=204}, "\5\0\2\3\20\0\0\0\314\0\0\0\3\0\0\0\264\0\0\0\0\0\0\0 \1\0\0\2\0\0\0\1\0\0\0H\327\350\0h\327\350\0\0\0\0\0l\327\350\0t\327\350\0\200\327\350\0\36\0\0\0\0\0\0\0\36\0\0\0C:\WINDOWS\system32\lsass.exe\0N\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0S\0\7\0\0\0\0\0\0\0\7\0\0\0RpcSs/\0\0\14\0\0\0\0\0\0\0\14\0\0\0LocalSystem\0\22\0\0\0\0\0\0\0\22\0\0\0Protected Storage\0\0\0\274\0\0\0\0\0\0\0", ) , ) == 0x103
 01770   316   NtFsControlFile  (328, 305, 0x0, 0x0, 0x11c017,  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\4\0\0\0 \0\0\0\0\0\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\335\366\376\235\337~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\4\0\0\0 \0\0\0\0\0\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01771   316   NtFsControlFile  (328, 305, 0x0, 0x0, 0x11c017,  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\6\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\334\366\376\235\337~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (328, 305, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\6\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\334\366\376\235\337~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\5\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01772   316   NtClose  (324, ... ) == 0x0
 01773   316   NtClose  (328, ... ) == 0x0
 01774   316   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\PS_SERVICE_STARTED"}, ... 328, ) }, ... 328, ) == 0x0
 01775   316   NtWaitForSingleObject  (328, 0, {-100000000, -1}, ... ) == 0x0
 01776   316   NtClose  (328, ... ) == 0x0
 01777   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01778   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 01779   316   NtConnectPort  ( ("\RPC Control\protected_storage", {12, 2, 1, 1}, 0x0, 0x0, 15259188, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15259188, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 01780   316   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 15269888, 119816, 15269888, 15258952}  (332, {128, 152, new_msg, 0, 15269888, 119816, 15269888, 15258952} "\0$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\270^\352\0\4\0\0\0\270^\352\0\20\344\314w\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" ... {128, 152, reply, 0, 312, 316, 1533, 0} "\7$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\270^\352\0\377\377\377\377\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" )  ... {128, 152, reply, 0, 312, 316, 1533, 0}  (332, {128, 152, new_msg, 0, 15269888, 119816, 15269888, 15258952} "\0$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\270^\352\0\4\0\0\0\270^\352\0\20\344\314w\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" ... {128, 152, reply, 0, 312, 316, 1533, 0} "\7$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\270^\352\0\377\377\377\377\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" )  ) == 0x0
 01781   316   NtRequestWaitReplyPort  (332, {148, 172, new_msg, 0, 44, 6, 20, 0}  (332, {148, 172, new_msg, 0, 44, 6, 20, 0} "\1\0\0\0A\2\4\0\337~\334\21\261\310\0\14)\371\246\305\0\4\0\0\377\377\377\377\21\0\0\00\214\7\212U7\320\21\240\275\0\252\0aBjH\1\0\08\1\0\08\1\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {84, 108, reply, 0, 312, 316, 1534, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\321|\0\0\1\0\0\0\0\0\0\0\0\09\30\00\3008G\20\2015\10\0\00\00\300\0\0\0\0\1009\341\0\0\0\0\377\377<\3\340\313\364\367" )  ... {84, 108, reply, 0, 312, 316, 1534, 0}  (332, {148, 172, new_msg, 0, 44, 6, 20, 0} "\1\0\0\0A\2\4\0\337~\334\21\261\310\0\14)\371\246\305\0\4\0\0\377\377\377\377\21\0\0\00\214\7\212U7\320\21\240\275\0\252\0aBjH\1\0\08\1\0\08\1\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {84, 108, reply, 0, 312, 316, 1534, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\321|\0\0\1\0\0\0\0\0\0\0\0\09\30\00\3008G\20\2015\10\0\00\00\300\0\0\0\0\1009\341\0\0\0\0\377\377<\3\340\313\364\367" )  ) == 0x0
 01782   316   NtClose  (328, ... ) == 0x0
 01783   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01784   316   NtRequestWaitReplyPort  (332, {44, 68, new_msg, 56, 312, 316, 1534, 0}  (332, {44, 68, new_msg, 56, 312, 316, 1534, 0} "\1\313\0\0B\2\21\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\0\1\0\0\0\310m\352\0\4\1\0\0" ... {96, 120, reply, 0, 312, 316, 1535, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\0\0\210\331\13\0\24\0\0\0\0\0\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {96, 120, reply, 0, 312, 316, 1535, 0}  (332, {44, 68, new_msg, 56, 312, 316, 1534, 0} "\1\313\0\0B\2\21\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\0\1\0\0\0\310m\352\0\4\1\0\0" ... {96, 120, reply, 0, 312, 316, 1535, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\0\0\210\331\13\0\24\0\0\0\0\0\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01785   316   NtClose  (328, ... ) == 0x0
 01786   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01787   316   NtRequestWaitReplyPort  (332, {88, 112, new_msg, 0, 312, 316, 1535, 0}  (332, {88, 112, new_msg, 0, 312, 316, 1535, 0} "\1\0\0\0A\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\321|\0\0\1\0\0\0H\1\0\08\1\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 312, 316, 1536, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\0\0\0\0\1\0\0\0" )  ... {40, 64, reply, 0, 312, 316, 1536, 0}  (332, {88, 112, new_msg, 0, 312, 316, 1535, 0} "\1\0\0\0A\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\321|\0\0\1\0\0\0H\1\0\08\1\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 312, 316, 1536, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01788   316   NtClose  (324, ... ) == 0x0
 01789   316   NtClose  (332, ... ) == 0x0
 01790   316   NtClose  (328, ... ) == 0x0
 01791   316   NtQueryValueKey  (288,  (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01792   316   NtQueryValueKey  (288,  (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01793   316   NtClose  (288, ... ) == 0x0
 01794   316   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities\{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, ... 288, ) }, ... 288, ) == 0x0
 01795   316   NtQueryValueKey  (288,  (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01796   316   NtQueryValueKey  (288,  (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01797   316   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\PS_SERVICE_STARTED"}, ... 328, ) }, ... 328, ) == 0x0
 01798   316   NtWaitForSingleObject  (328, 0, {-100000000, -1}, ... ) == 0x0
 01799   316   NtClose  (328, ... ) == 0x0
 01800   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01801   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 01802   316   NtConnectPort  ( ("\RPC Control\protected_storage", {12, 2, 1, 1}, 0x0, 0x0, 15259188, 112, ... 324, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15259188, 112, ... 324, 0x0, 0x0, 0x0, 112, ) == 0x0
 01803   316   NtRequestWaitReplyPort  (324, {128, 152, new_msg, 0, 15269888, 119816, 15269888, 15258952}  (324, {128, 152, new_msg, 0, 15269888, 119816, 15269888, 15258952} "\0$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\270^\352\0\4\0\0\0\270^\352\0\20\344\314w\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 312, 316, 1539, 0} "\7$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\270^\352\0\377\377\377\377\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 312, 316, 1539, 0}  (324, {128, 152, new_msg, 0, 15269888, 119816, 15269888, 15258952} "\0$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\270^\352\0\4\0\0\0\270^\352\0\20\344\314w\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 312, 316, 1539, 0} "\7$\370w\370\333\350\0\2$\370w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\270^\352\0\377\377\377\377\270^\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\215\26\365w\1\0\0\0\220^\352\0\240\1\351\0\1\0\0\0\330j\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" )  ) == 0x0
 01804   316   NtRequestWaitReplyPort  (324, {148, 172, new_msg, 0, 312, 316, 1536, 0}  (324, {148, 172, new_msg, 0, 312, 316, 1536, 0} "\1\313\0\0A\2\4\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\00\214\7\212U7\320\21\240\275\0\252\0aBjH\1\0\08\1\0\08\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {84, 108, reply, 0, 312, 316, 1540, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\360|\0\0\2\0\0\0\0\0\0\0\0\09\30\00\3008G\20\2015\10\0\00\00\300\0\0\0\0\1009\341\0\0\0\0\377\377<\3\340\313\364\367" )  ... {84, 108, reply, 0, 312, 316, 1540, 0}  (324, {148, 172, new_msg, 0, 312, 316, 1536, 0} "\1\313\0\0A\2\4\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\00\214\7\212U7\320\21\240\275\0\252\0aBjH\1\0\08\1\0\08\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {84, 108, reply, 0, 312, 316, 1540, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\360|\0\0\2\0\0\0\0\0\0\0\0\09\30\00\3008G\20\2015\10\0\00\00\300\0\0\0\0\1009\341\0\0\0\0\377\377<\3\340\313\364\367" )  ) == 0x0
 01805   316   NtClose  (328, ... ) == 0x0
 01806   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01807   316   NtRequestWaitReplyPort  (324, {44, 68, new_msg, 56, 312, 316, 1540, 0}  (324, {44, 68, new_msg, 56, 312, 316, 1540, 0} "\1\313\0\0B\2\21\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\0\1\0\0\0\310m\352\0\4\1\0\0" ... {96, 120, reply, 0, 312, 316, 1541, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\0\0\310s\14\0\24\0\0\0\0\0\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {96, 120, reply, 0, 312, 316, 1541, 0}  (324, {44, 68, new_msg, 56, 312, 316, 1540, 0} "\1\313\0\0B\2\21\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\0\1\0\0\0\310m\352\0\4\1\0\0" ... {96, 120, reply, 0, 312, 316, 1541, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\0\0\310s\14\0\24\0\0\0\0\0\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01808   316   NtClose  (328, ... ) == 0x0
 01809   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01810   316   NtRequestWaitReplyPort  (324, {88, 112, new_msg, 0, 312, 316, 1541, 0}  (324, {88, 112, new_msg, 0, 312, 316, 1541, 0} "\1\0\0\0A\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\360|\0\0\2\0\0\0H\1\0\08\1\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 312, 316, 1542, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\0\0\0\0\2\0\0\0" )  ... {40, 64, reply, 0, 312, 316, 1542, 0}  (324, {88, 112, new_msg, 0, 312, 316, 1541, 0} "\1\0\0\0A\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\360|\0\0\2\0\0\0H\1\0\08\1\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 312, 316, 1542, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\0\0\0\0\2\0\0\0" )  ) == 0x0
 01811   316   NtClose  (332, ... ) == 0x0
 01812   316   NtClose  (324, ... ) == 0x0
 01813   316   NtClose  (328, ... ) == 0x0
 01814   316   NtQueryValueKey  (288,  (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01815   316   NtQueryValueKey  (288,  (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01816   316   NtClose  (288, ... ) == 0x0
 01817   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01818   316   NtEnumerateKey  (288, 0, Basic, 288, ... {LastWrite={0x910e9784,0x1c7399c}, TitleIdx=0, Name= (288, 0, Basic, 288, ... {LastWrite={0x910e9784,0x1c7399c}, TitleIdx=0, Name="{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, 92, ) }, 92, ) == 0x0
 01819   316   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, ... 328, ) }, ... 328, ) == 0x0
 01820   316   NtQueryValueKey  (328,  (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01821   316   NtQueryValueKey  (328,  (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01822   316   NtQueryValueKey  (328,  (328, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01823   316   NtQueryValueKey  (328,  (328, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01824   316   NtClose  (328, ... ) == 0x0
 01825   316   NtClose  (288, ... ) == 0x0
 01826   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01827   316   NtSetValueKey  (288,  (288, "Last Username", 0, 1, "M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0", 28, ... ) , 0, 1,  (288, "Last Username", 0, 1, "M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0", 28, ... ) , 28, ... ) == 0x0
 01828   316   NtSetValueKey  (288,  (288, "Last User ID", 0, 1, "{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0", 78, ... ) , 0, 1,  (288, "Last User ID", 0, 1, "{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01829   316   NtClose  (288, ... ) == 0x0
 01830   316   NtAddAtom  ( ("I\0D\0E\0N\0T\0I\0T\0Y\0_\0L\0O\0G\0I\0N\0", 28, 15261768, ... ) , 28, 15261768, ... ) == 0x0
 01831   316   NtUserSetProp  (65556, 114717, 622675, ...
 01832   316   NtAllocateVirtualMemory  (-1, 25858048, 0, 4096, 4096, 32, ... 25858048, 4096, ) == 0x0
 01831   316   NtUserSetProp  ... ) == 0x1
 01833   316   NtAllocateVirtualMemory  (-1, 15364096, 0, 4096, 4096, 4, ... 15364096, 4096, ) == 0x0
 01834   316   NtAllocateVirtualMemory  (-1, 15368192, 0, 4096, 4096, 4, ... 15368192, 4096, ) == 0x0
 01835   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01836   316   NtQueryValueKey  (288,  (288, "Identity Ordinal", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "Identity Ordinal", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01837   316   NtEnumerateKey  (288, 0, Basic, 288, ... {LastWrite={0x910e9784,0x1c7399c}, TitleIdx=0, Name= (288, 0, Basic, 288, ... {LastWrite={0x910e9784,0x1c7399c}, TitleIdx=0, Name="{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, 92, ) }, 92, ) == 0x0
 01838   316   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, ... 328, ) }, ... 328, ) == 0x0
 01839   316   NtQueryValueKey  (328,  (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01840   316   NtQueryValueKey  (328,  (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01841   316   NtQueryValueKey  (328,  (328, "Identity Ordinal", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   316   NtSetValueKey  (328,  (328, "Identity Ordinal", 0, 4, "\1\0\0\0", 4, ... , 0, 4,  (328, "Identity Ordinal", 0, 4, "\1\0\0\0", 4, ... , 4, ...
 01843   316   NtSetInformationFile  (-2147482732, -133396776, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01842   316   NtSetValueKey  ... ) == 0x0
 01844   316   NtClose  (328, ... ) == 0x0
 01845   316   NtEnumerateKey  (288, 1, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01846   316   NtSetValueKey  (288,  (288, "Identity Ordinal", 0, 4, "\2\0\0\0", 4, ... , 0, 4,  (288, "Identity Ordinal", 0, 4, "\2\0\0\0", 4, ... , 4, ...
 01847   316   NtSetInformationFile  (-2147482732, -133396684, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01846   316   NtSetValueKey  ... ) == 0x0
 01848   316   NtClose  (288, ... ) == 0x0
 01849   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Identities"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   316   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Identities"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   316   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01852   316   NtQueryValueKey  (288,  (288, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01853   316   NtQueryValueKey  (288,  (288, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Default User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01854   316   NtClose  (288, ... ) == 0x0
 01855   316   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Identities\{A004FC53-EF29-4DAA-989E-9C96D0F26D28}"}, ... 288, ) }, ... 288, ) == 0x0
 01856   316   NtQueryValueKey  (288,  (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01857   316   NtQueryValueKey  (288,  (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "Username", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0a\0i\0n\0 \0I\0d\0e\0n\0t\0i\0t\0y\0\0\0"}, 40, ) }, 40, ) == 0x0
 01858   316   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\PS_SERVICE_STARTED"}, ... 328, ) }, ... 328, ) == 0x0
 01859   316   NtWaitForSingleObject  (328, 0, {-100000000, -1}, ... ) == 0x0
 01860   316   NtClose  (328, ... ) == 0x0
 01861   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01862   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 01863   316   NtConnectPort  ( ("\RPC Control\protected_storage", {12, 2, 1, 1}, 0x0, 0x0, 15264800, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15264800, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 01864   316   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 125428, 15269888, 15264564, 2012750850}  (332, {128, 152, new_msg, 0, 125428, 15269888, 15264564, 2012750850} "\0\361\350\0\2$\370w\370T\367w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wp\201\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\1\0\0\0T\354\350\0\370`\352\0\240\1\351\0\20\357\350\00V\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\357\350\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 312, 316, 1545, 0} "\7\361\350\0\2$\370w\370T\367w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\1\0\0\0T\354\350\0\370`\352\0\240\1\351\0\20\357\350\00V\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\357\350\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 312, 316, 1545, 0}  (332, {128, 152, new_msg, 0, 125428, 15269888, 15264564, 2012750850} "\0\361\350\0\2$\370w\370T\367w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wp\201\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\1\0\0\0T\354\350\0\370`\352\0\240\1\351\0\20\357\350\00V\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\357\350\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 312, 316, 1545, 0} "\7\361\350\0\2$\370w\370T\367w\361\2177\311\367\26\320\21\240\262\0\252\0aBj\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\1\0\0\0T\354\350\0\370`\352\0\240\1\351\0\20\357\350\00V\352\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\357\350\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01865   316   NtRequestWaitReplyPort  (332, {148, 172, new_msg, 0, 312, 316, 1542, 0}  (332, {148, 172, new_msg, 0, 312, 316, 1542, 0} "\1\313\0\0A\2\4\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\00\214\7\212U7\320\21\240\275\0\252\0aBjH\1\0\08\1\0\08\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {84, 108, reply, 0, 312, 316, 1546, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\360|\0\0\3\0\0\0\0\0\0\0\0\09\30\00\3008G\20\2015\10\0\00\00\300\0\0\0\0\1009\341\0\0\0\0\377\377<\3\340\313\364\367" )  ... {84, 108, reply, 0, 312, 316, 1546, 0}  (332, {148, 172, new_msg, 0, 312, 316, 1542, 0} "\1\313\0\0A\2\4\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\00\214\7\212U7\320\21\240\275\0\252\0aBjH\1\0\08\1\0\08\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {84, 108, reply, 0, 312, 316, 1546, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\360|\0\0\3\0\0\0\0\0\0\0\0\09\30\00\3008G\20\2015\10\0\00\00\300\0\0\0\0\1009\341\0\0\0\0\377\377<\3\340\313\364\367" )  ) == 0x0
 01866   316   NtClose  (328, ... ) == 0x0
 01867   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01868   316   NtRequestWaitReplyPort  (332, {44, 68, new_msg, 56, 312, 316, 1546, 0}  (332, {44, 68, new_msg, 56, 312, 316, 1546, 0} "\1\313\0\0B\2\21\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\0\1\0\0\0\310m\352\0\4\1\0\0" ... {96, 120, reply, 0, 312, 316, 1547, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\0\00}\14\0\24\0\0\0\0\0\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {96, 120, reply, 0, 312, 316, 1547, 0}  (332, {44, 68, new_msg, 56, 312, 316, 1546, 0} "\1\313\0\0B\2\21\0`9\210\200d8\0\0d8\0\0`9\210\200\377\377\377\3775\10\0\0\1\0\0\0\310m\352\0\4\1\0\0" ... {96, 120, reply, 0, 312, 316, 1547, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\0\00}\14\0\24\0\0\0\0\0\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01869   316   NtClose  (328, ... ) == 0x0
 01870   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 01871   316   NtRequestWaitReplyPort  (332, {88, 112, new_msg, 0, 312, 316, 1547, 0}  (332, {88, 112, new_msg, 0, 312, 316, 1547, 0} "\1\0\0\0A\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\360|\0\0\3\0\0\0H\1\0\08\1\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 312, 316, 1548, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\0\0\0\0\3\0\0\0" )  ... {40, 64, reply, 0, 312, 316, 1548, 0}  (332, {88, 112, new_msg, 0, 312, 316, 1547, 0} "\1\0\0\0A\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\360|\0\0\3\0\0\0H\1\0\08\1\0\0\0\0\0\0h\360\6\0S\374\4\240)\357\252M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 312, 316, 1548, 0} "\2\313\364\367\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\6\31\2015\10\0\0\0\0\0\0\3\0\0\0" )  ) == 0x0
 01872   316   NtClose  (324, ... ) == 0x0
 01873   316   NtClose  (332, ... ) == 0x0
 01874   316   NtClose  (328, ... ) == 0x0
 01875   316   NtQueryValueKey  (288,  (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01876   316   NtQueryValueKey  (288,  (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (288, "User ID", Partial, 144, ... TitleIdx=0, Type=1, Data="{\0A\00\00\04\0F\0C\05\03\0-\0E\0F\02\09\0-\04\0D\0A\0A\0-\09\08\09\0E\0-\09\0C\09\06\0D\00\0F\02\06\0D\02\08\0}\0\0\0"}, 90, ) }, 90, ) == 0x0
 01877   316   NtClose  (288, ... ) == 0x0
 01878   316   NtQueryDefaultLocale  (1, 15267956, ... ) == 0x0
 01879   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\WAB\WAB4"}, ... 288, ) }, ... 288, ) == 0x0
 01880   316   NtQueryValueKey  (288,  (288, "PropTag1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   316   NtQueryValueKey  (288,  (288, "PropTag2", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   316   NtClose  (288, ... ) == 0x0
 01883   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 288, ) == 0x0
 01884   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 01885   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 01886   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 01887   316   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116981760, 1048576, ) == 0x0
 01888   316   NtAllocateVirtualMemory  (-1, 116981760, 0, 21216, 4096, 4, ... 116981760, 24576, ) == 0x0
 01889   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 01890   316   NtAllocateVirtualMemory  (-1, 117006336, 0, 4096, 4096, 4, ... 117006336, 4096, ) == 0x0
 01891   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 01892   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 01893   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 01894   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 01895   316   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 01896   316   NtQueryValueKey  (340,  (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01897   316   NtQueryValueKey  (340,  (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01898   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 01899   316   NtOpenKey  (0x2000000, {24, 340, 0x40, 0, 0,  (0x2000000, {24, 340, 0x40, 0, 0, "Protocol_Catalog9"}, ... 348, ) }, ... 348, ) == 0x0
 01900   316   NtQueryValueKey  (348,  (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01901   316   NtNotifyChangeKey  (348, 344, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01902   316   NtQueryValueKey  (348,  (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01903   316   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01904   316   NtQueryValueKey  (348,  (348, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01905   316   NtQueryValueKey  (348,  (348, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01906   316   NtOpenKey  (0x2000000, {24, 348, 0x40, 0, 0,  (0x2000000, {24, 348, 0x40, 0, 0, "Catalog_Entries"}, ... 352, ) }, ... 352, ) == 0x0
 01907   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000001"}, ... 356, ) }, ... 356, ) == 0x0
 01908   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01909   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01910   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0w\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0w\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0x\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0w\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0w\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0x\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0w\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0w\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0x\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0y\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01911   316   NtClose  (356, ... ) == 0x0
 01912   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000002"}, ... 356, ) }, ... 356, ) == 0x0
 01913   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01914   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01915   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0|\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0|\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0}\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0|\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0|\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0}\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0|\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0|\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0}\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0~\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01916   316   NtClose  (356, ... ) == 0x0
 01917   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000003"}, ... 356, ) }, ... 356, ) == 0x0
 01918   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01919   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01920   316   NtAllocateVirtualMemory  (-1, 15372288, 0, 4096, 4096, 4, ... 15372288, 4096, ) == 0x0
 01921   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\202\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\202\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\203\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\202\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\202\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\203\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\202\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\202\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\203\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\204\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01922   316   NtClose  (356, ... ) == 0x0
 01923   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000004"}, ... 356, ) }, ... 356, ) == 0x0
 01924   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01925   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01926   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\207\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\207\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\210\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\207\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\207\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\210\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\207\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\207\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\210\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\211\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01927   316   NtClose  (356, ... ) == 0x0
 01928   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000005"}, ... 356, ) }, ... 356, ) == 0x0
 01929   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01930   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01931   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\214\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\214\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\215\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\214\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\214\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\215\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\214\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\214\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\215\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\216\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01932   316   NtClose  (356, ... ) == 0x0
 01933   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000006"}, ... 356, ) }, ... 356, ) == 0x0
 01934   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01935   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01936   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\221\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\221\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\222\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\221\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\221\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\222\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\221\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\221\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\222\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\223\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01937   316   NtClose  (356, ... ) == 0x0
 01938   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000007"}, ... 356, ) }, ... 356, ) == 0x0
 01939   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01940   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01941   316   NtAllocateVirtualMemory  (-1, 15376384, 0, 4096, 4096, 4, ... 15376384, 4096, ) == 0x0
 01942   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\227\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\227\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\230\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\227\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\227\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\230\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\227\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\227\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\230\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\231\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01943   316   NtClose  (356, ... ) == 0x0
 01944   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000008"}, ... 356, ) }, ... 356, ) == 0x0
 01945   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01946   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01947   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\234\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\234\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\235\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\234\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\234\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\235\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\234\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\234\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\235\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\236\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01948   316   NtClose  (356, ... ) == 0x0
 01949   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000009"}, ... 356, ) }, ... 356, ) == 0x0
 01950   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01951   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01952   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\241\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\241\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\242\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\241\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\241\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\242\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\241\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\241\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\242\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\243\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01953   316   NtClose  (356, ... ) == 0x0
 01954   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000010"}, ... 356, ) }, ... 356, ) == 0x0
 01955   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01956   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01957   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\246\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\246\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\247\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\246\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\246\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\247\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0 (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\246\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\246\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\7\0\08\1\0\0<\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\1\0\0L\373\350\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08V\352\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\247\7\0\08\1\0\0<\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\1\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\352\0\2\0\0\0\220\0\0\0\250\7\0\08\1\0\0<\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\7\0\08\1\0\0<\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01958   316   NtClose  (356, ... ) == 0x0
 01959   316   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "000000000011"}, ... 356, ) }, ... 356, ) == 0x0
 01960   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01961   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01962   316   NtQueryValueKey  (356,  (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\253\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\253\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\1\0\0\254\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\7\0\08\1\0\0<\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0X\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\255\7\0\08\1\0\0<\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\256\7\0\08\1\0\0<\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\256\7\0\08\1\0\0<\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\1\0\0\257\7\0\08\1\0\0<\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\260\352\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\257\7\0\08\1\0\0<\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\260\352\0\0\0\0\0\0\20\0\0\260\7\0\08\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (356, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\253\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\1\0\0\253\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\7\0\08\1\0\0<\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\1\0\0\254\7\0\08\1\0\0<\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\7\0\08\1\0\0<\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0X\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\255\7\0\08\1\0\0<\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\256\7\0\08\1\0\0<\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\256\7\0\08\1\0\0<\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\1\0\0\257\7\0\08\1\0\0<\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\260\352\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\257\7\0\08\1\0\0<\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\260\352\0\0\0\0\0\0\20\0\0\260\7\0\08\1\0\0"}, 900, ) }, 900, ) == 0x0
 01963   316   NtClose  (356, ... ) == 0x0
 01964   316   NtClose  (352, ... ) == 0x0
 01965   316   NtWaitForSingleObject  (344, 0, {0, 0}, ... ) == 0x102
 01966   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 01967   316   NtAllocateVirtualMemory  (-1, 15380480, 0, 4096, 4096, 4, ... 15380480, 4096, ) == 0x0
 01968   316   NtOpenKey  (0x2000000, {24, 340, 0x40, 0, 0,  (0x2000000, {24, 340, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 356, ) }, ... 356, ) == 0x0
 01969   316   NtQueryValueKey  (356,  (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01970   316   NtNotifyChangeKey  (356, 352, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01971   316   NtQueryValueKey  (356,  (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01972   316   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   316   NtQueryValueKey  (356,  (356, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01974   316   NtOpenKey  (0x2000000, {24, 356, 0x40, 0, 0,  (0x2000000, {24, 356, 0x40, 0, 0, "Catalog_Entries"}, ... 360, ) }, ... 360, ) == 0x0
 01975   316   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000001"}, ... 364, ) }, ... 364, ) == 0x0
 01976   316   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01977   316   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01978   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01979   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01980   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01981   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01982   316   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01983   316   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   316   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01985   316   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01986   316   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01987   316   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01988   316   NtClose  (364, ... ) == 0x0
 01989   316   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000002"}, ... 364, ) }, ... 364, ) == 0x0
 01990   316   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01991   316   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01992   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01993   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01994   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01995   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01996   316   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01997   316   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   316   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01999   316   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02000   316   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02001   316   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02002   316   NtClose  (364, ... ) == 0x0
 02003   316   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "000000000003"}, ... 364, ) }, ... 364, ) == 0x0
 02004   316   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02005   316   NtQueryValueKey  (364,  (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02006   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02007   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02008   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02009   316   NtQueryValueKey  (364,  (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (364, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02010   316   NtQueryValueKey  (364,  (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 02011   316   NtQueryValueKey  (364,  (364, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02012   316   NtQueryValueKey  (364,  (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 02013   316   NtQueryValueKey  (364,  (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02014   316   NtQueryValueKey  (364,  (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02015   316   NtQueryValueKey  (364,  (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02016   316   NtClose  (364, ... ) == 0x0
 02017   316   NtClose  (360, ... ) == 0x0
 02018   316   NtWaitForSingleObject  (352, 0, {0, 0}, ... ) == 0x102
 02019   316   NtClose  (340, ... ) == 0x0
 02020   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02021   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02022   316   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02023   316   NtQueryValueKey  (340,  (340, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   316   NtClose  (340, ... ) == 0x0
 02025   316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 340, ) == 0x0
 02026   316   NtAllocateVirtualMemory  (-1, 117010432, 0, 4096, 4096, 4, ... 117010432, 4096, ) == 0x0
 02027   316   NtAllocateVirtualMemory  (-1, 117014528, 0, 4096, 4096, 4, ... 117014528, 4096, ) == 0x0
 02028   316   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 360, ) == 0x0
 02029   316   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x7090000), 0x0, 4194304, ) == 0x0
 02030   316   NtAllocateVirtualMemory  (-1, 118030336, 0, 1, 4096, 4, ... 118030336, 4096, ) == 0x0
 02031   316   NtAllocateVirtualMemory  (-1, 118034432, 0, 4808, 4096, 4, ... 118034432, 8192, ) == 0x0
 02032   316   NtCreateSection  (0xf0007, 0x0, {33036, 0}, 4, 134217728, 0, ... 364, ) == 0x0
 02033   316   NtMapViewOfSection  (364, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x6f30000), {0, 0}, 36864, ) == 0x0
 02034   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 02035   316   NtMapViewOfSection  (364, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x6f30000), {0, 0}, 36864, ) == 0x0
 02036   316   NtClose  (360, ... ) == 0x0
 02037   316   NtUnmapViewOfSection  (-1, 0x7090000, ... ) == 0x0
 02038   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 02039   316   NtMapViewOfSection  (364, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x6f30000), {0, 0}, 36864, ) == 0x0
 02040   316   NtUnmapViewOfSection  (-1, 0x6f30000, ... ) == 0x0
 02041   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02042   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02043   316   NtClose  (364, ... ) == 0x0
 02044   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 15268260,  (0x80100080, {24, 0, 0x40, 0, 15268260, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 02045   316   NtQueryInformationFile  (364, 15268312, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02046   316   NtClose  (364, ... ) == 0x0
 02047   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02048   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02049   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02050   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02051   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02052   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02053   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02054   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02055   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02056   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02057   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02058   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02059   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02060   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02061   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02062   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000002"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02064   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02065   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000003"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02067   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02068   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02070   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02071   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02073   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02074   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000006"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02075   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02076   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02077   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000007"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02079   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02080   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000008"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02082   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02083   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000009"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02084   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02085   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02086   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000010"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02087   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02088   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02089   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000011"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02090   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02091   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02092   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000012"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02094   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02095   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000013"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02096   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02097   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02098   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000014"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02099   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02100   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02101   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000015"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02103   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02104   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000016"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02106   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02107   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000017"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02108   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02109   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02110   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000018"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02112   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02113   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02115   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02116   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000020"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02118   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02119   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000021"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02120   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02121   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02122   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000022"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02124   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02125   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000023"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02126   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02127   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02128   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000024"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02130   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02131   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000025"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02133   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02134   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000026"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02136   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02137   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000027"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02138   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02139   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02140   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000028"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02142   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02143   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000029"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02145   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02146   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000030"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02148   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02149   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000031"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02150   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02151   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02152   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000032"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02154   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02155   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000033"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02157   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02158   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000034"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02160   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02161   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000035"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02163   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02164   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000036"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02166   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02167   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000037"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02169   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02170   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000038"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02172   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02173   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000039"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02174   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02175   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02176   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000040"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02177   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02178   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02179   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000041"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02181   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02182   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000042"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02184   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02185   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000043"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02187   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02188   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000044"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02190   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02191   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000045"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02193   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02194   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000046"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02196   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02197   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000047"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02199   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02200   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000048"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02202   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02203   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000049"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02205   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02206   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000050"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02208   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02209   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000051"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02211   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02212   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000052"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02214   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02215   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000053"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02217   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02218   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000054"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02220   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02221   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000055"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02223   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02224   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000056"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02226   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02227   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000057"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02229   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02230   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000058"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02232   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02233   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000059"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02235   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02236   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000060"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02238   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02239   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000061"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02241   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02242   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000062"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02244   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02245   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000063"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02247   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02248   316   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Account Manager\Accounts\00000064"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02249   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02250   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02251   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02252   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02253   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02254   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02255   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02256   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02257   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02258   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02259   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02260   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02261   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02262   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02263   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02264   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02265   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02266   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02267   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02268   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02269   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02270   316   NtAllocateVirtualMemory  (-1, 117018624, 0, 4096, 4096, 4, ... 117018624, 4096, ) == 0x0
 02271   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02272   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02273   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02274   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02275   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02276   316   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 364, ) }, ... 364, ) == 0x0
 02277   316   NtQueryValueKey  (364,  (364, "Local AppData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02278   316   NtQueryValueKey  (364,  (364, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) , Partial, 146, ... TitleIdx=0, Type=1, Data= (364, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) }, 146, ) == 0x0
 02279   316   NtQueryValueKey  (364,  (364, "Local AppData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02280   316   NtQueryValueKey  (364,  (364, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) , Partial, 146, ... TitleIdx=0, Type=1, Data= (364, "Local AppData", Partial, 146, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 146, ) }, 146, ) == 0x0
 02281   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02282   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02283   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02284   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02285   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02286   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02287   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02288   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02289   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02290   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02291   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02292   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02293   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02294   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02295   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02296   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02297   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02298   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02299   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02300   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02301   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02302   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02303   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02304   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02305   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02306   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02307   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02308   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02309   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02310   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02311   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02312   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02313   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02314   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02315   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02316   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02317   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02318   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02319   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02320   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02321   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02322   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02323   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02324   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02325   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02326   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02327   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02328   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02329   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02330   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02331   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02332   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02333   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02334   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02335   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02336   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02337   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02338   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02339   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02340   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02341   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02342   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02343   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02344   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02345   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02346   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02347   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02348   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02349   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02350   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02351   316   NtAllocateVirtualMemory  (-1, 117022720, 0, 4096, 4096, 4, ... 117022720, 4096, ) == 0x0
 02352   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02353   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02354   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02355   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02356   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02357   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02358   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02359   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02360   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02361   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02362   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02363   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02364   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02365   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02366   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02367   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02368   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02369   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02370   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02371   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02372   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02373   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02374   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02375   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02376   316   NtDelayExecution  (0, {-50000, -1}, ... ) == 0x0
 02377   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02378   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02379   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02380   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02381   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02382   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02383   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02384   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02385   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02386   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02387   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02388   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02389   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02390   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02391   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02392   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02393   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02394   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02395   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02396   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02397   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02398   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02399   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02400   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02401   316   NtDelayExecution  (0, {-30000, -1}, ... ) == 0x0
 02402   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02403   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02404   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02405   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02406   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02407   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02408   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02409   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02410   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02411   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02412   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02413   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02414   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02415   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02416   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02417   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02418   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02419   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02420   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02421   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02422   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02423   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02424   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02425   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02426   316   NtDelayExecution  (0, {-70000, -1}, ... ) == 0x0
 02427   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02428   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02429   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02430   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02431   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02432   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02433   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02434   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02435   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02436   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02437   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02438   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02439   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02440   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02441   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02442   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02443   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02444   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02445   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02446   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02447   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02448   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02449   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02450   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02451   316   NtDelayExecution  (0, {-110000, -1}, ... ) == 0x0
 02452   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02453   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02454   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02455   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02456   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02457   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02458   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02459   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02460   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02461   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02462   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02463   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02464   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02465   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02466   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02467   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02468   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02469   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02470   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02471   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02472   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02473   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02474   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02475   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02476   316   NtDelayExecution  (0, {-90000, -1}, ... ) == 0x0
 02477   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02478   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02479   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02480   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02481   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02482   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02483   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02484   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02485   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02486   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02487   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02488   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02489   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02490   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02491   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02492   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02493   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02494   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02495   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02496   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02497   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02498   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02499   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02500   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02501   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 15268008,  (0x80100080, {24, 0, 0x40, 0, 15268008, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 360, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 360, {status=0x0, info=1}, ) == 0x0
 02502   316   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 360, ... 368, ) == 0x0
 02503   316   NtMapViewOfSection  (368, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x7090000), {0, 0}, 86016, ) == 0x0
 02504   316   NtQueryInformationFile  (360, 15268056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02505   316   NtAllocateVirtualMemory  (-1, 0, 0, 85946, 12288, 64, ... 118161408, 86016, ) == 0x0
 02506   316   NtUnmapViewOfSection  (-1, 0x7090000, ... ) == 0x0
 02507   316   NtClose  (368, ... ) == 0x0
 02508   316   NtClose  (360, ... ) == 0x0
 02509   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02510   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02511   316   NtQueryDefaultLocale  (1, 15267876, ... ) == 0x0
 02512   316   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02513   316   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 118292480, 262144, ) == 0x0
 02514   316   NtAllocateVirtualMemory  (-1, 118292480, 0, 4096, 4096, 4, ... 118292480, 4096, ) == 0x0
 02515   316   NtAllocateVirtualMemory  (-1, 118296576, 0, 8192, 4096, 4, ... 118296576, 8192, ) == 0x0
 02516   316   NtWaitForSingleObject  (136, 0, {-200000000, -1}, ... ) == 0x0
 02517   316   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 15266856,  (0xc0100080, {24, 0, 0x40, 0, 15266856, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Address Book\SRI-user.wab"}, 0x0, 0, 3, 1, 2144, 0, 0, ... 360, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 2144, 0, 0, ... 360, {status=0x0, info=1}, ) == 0x0
 02518   316   NtQueryInformationFile  (360, 15268232, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02519   316   NtSetInformationFile  (360, 15268216, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02520   316   NtReadFile  (360, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164},  (360, 0, 0, 0, 164, 0x0, 0, ... {status=0x0, info=164}, "\234\313\313\215\23u\322\21\221X\0\300OyV\244\0\0\0\0\1\0\0\0\240\17\0\0\0\0\0\0\244\10\0\0\0\0\0\0\320\204\0\0\0\0\0\0D\30\0\0\0\0\0\0\320\204\0\0\0\0\0\0\24\235\0\0\0\0\0\0\320\204\0\0\0\0\0\0\344!\1\0\0\0\0\0\320\204\0\0\0\0\0\0\264\246\1\0\0\0\0\0\320\204\0\0\0\0\0\0\204+\2\0\0\0\0\0\0\0\0\0\364\1\0\0\0\0\0\0\0\10\0\0\264\1\0\0\244\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02521   316   NtClose  (360, ... ) == 0x0
 02522   316   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 02523   316   NtAllocateVirtualMemory  (-1, 117026816, 0, 4096, 4096, 4, ... 117026816, 4096, ) == 0x0
 02524   316   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 360, ) == 0x0
 02525   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02526   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02527   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 15268040,  (0x80100080, {24, 0, 0x40, 0, 15268040, "\??\c:\windows\system32\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02529   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02530   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02531   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02532   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02533   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02534   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02535   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02536   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02537   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02538   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02539   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02540   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02541   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02542   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02543   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02544   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02545   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02546   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02547   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02548   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02549   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02550   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02551   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02552   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02553   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02554   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02555   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02556   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02557   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02558   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02559   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02560   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02561   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02562   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02563   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02564   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02565   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02566   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02567   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02568   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02569   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02570   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02571   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02572   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02573   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02574   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02575   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02576   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02577   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02578   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02579   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02580   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02581   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02582   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02583   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02584   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02585   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02586   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02587   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02588   316   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 02589   316   NtSetEvent  (68, ... 0x0, ) == 0x0
 02590   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 15266984,  (0x80100080, {24, 0, 0x40, 0, 15266984, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 368, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 368, {status=0x0, info=1}, ) == 0x0
 02591   316   NtQueryInformationFile  (368, 15267920, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02592   316   NtQueryInformationFile  (368, 15267892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02593   316   NtQueryInformationFile  (368, 15267844, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02594   316   NtAllocateVirtualMemory  (-1, 15384576, 0, 8192, 4096, 4, ... 15384576, 8192, ) == 0x0
 02595   316   NtQueryInformationFile  (368, 15383472, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02596   316   NtQueryInformationFile  (368, 15266388, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02597   316   NtQueryInformationFile  (368, 15266232, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02598   316   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 15266240,  (0x40110080, {24, 0, 0x40, 0, 15266240, "\??\c:\windows\system32\ieupdate.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02599   316   NtClose  (-2147482020, ... ) == 0x0
 02598   316   NtCreateFile  ... 372, {status=0x0, info=2}, ) == 0x0
 02600   316   NtQueryVolumeInformationFile  (372, 15265612, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02601   316   NtQueryInformationFile  (372, 15265572, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02602   316   NtQueryVolumeInformationFile  (368, 15265612, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02603   316   NtQueryVolumeInformationFile  (368, 15265296, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02604   316   NtSetInformationFile  (372, 15265400, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02605   316   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 368, ... 376, ) == 0x0
 02606   316   NtMapViewOfSection  (376, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x7090000), {0, 0}, 86016, ) == 0x0
 02607   316   NtClose  (376, ... ) == 0x0
 02608   316   NtWriteFile  (372, 0, 0, 0,  (372, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0O\27\272\235\13v\324\316\13v\324\316\13v\324\316\16z\333\316\23v\324\316\30~\275\316\10v\324\316\30~\211\316\11v\324\316\16z\213\316\213v\324\316\361U\315\316\11v\324\316\13v\325\316\244v\324\316\210~\211\316\2v\324\316\13v\324\316\10v\324\316\16z\264\316=v\324\316\16z\216\316\12v\324\316Rich\13v\324\316\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\266\200\5E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0@\1\0\0\20\0\0\0\260\6\0\20\375\7\0\0\300\6\0\0\0\10\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\10\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\240\0\0\20\0\0\0\0\240\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0p\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02609   316   NtWriteFile  (372, 0, 0, 0,  (372, 0, 0, 0, "+\326\270v\362\273m\253\1\5;\2156\@\256!Z\260\22\210\200\226\340h\244,\26\7[\4cnz:d1Y\373a\35!\202\331\325+\343\322Y\354=\17\343\345\370\11,\200Fp\313f\305'\0\362g\247\247\36\211\236\360V\36\222\220_\25\356\216$\350*\27\316\27412M\27K\22\277\372\6\351\\371](1\334B\320\256*\205/\334|\\37/\332l}\244"\224\360\376kJ\330u\260U\16l\270\221\177\324\12\354Q\355^\322\362"U(_`&^\220\315>\201:\12\340A><:K\13X\26y\256[\351\234k\371\335\2730\65\310U1\351\261\264Hc\2\205\14\341\360\367\314\360H\221\336 h:B\263\207\323~\330\32f\225\370\236*\217\23\25k\351\351\12}*\3\246\363x\273\365\4#\361\17\263tCh\34`\337h\363b\274\361\277\3400=fA'\303\231\344\12\177c{\7\23\340r\3277\232\314\344\26\30\275\271\25\3\177$\265)\2\312X&h>z:\264\236W\343\336"\200\375\346\37\359\371v\20\340>'R+$:.\263\231\245*n\221x\224#\314C\2\334\3522\3738\353n\207*\306\12\277\264\202\327:\332b\367\355\323\275yG\33nw\3166!G#\215\252!\266\206/\350\13'+\273T&\362'\266\375\335", 22016, 0x0, 0, ... {status=0x0, info=22016}, ) \373a\35!\202\331\325+\343\322Y\354=\17\343\345\370\11,\200Fp\313f\305'\0\362g\247\247\36\211\236\360V\36\222\220_\25\356\216$\350*\27\316\27412M\27K\22\277\372\6\351\\371](1\334B\320\256*\205/\334|\\37/\332l}\244 (372, 0, 0, 0, "+\326\270v\362\273m\253\1\5;\2156\@\256!Z\260\22\210\200\226\340h\244,\26\7[\4cnz:d1Y\373a\35!\202\331\325+\343\322Y\354=\17\343\345\370\11,\200Fp\313f\305'\0\362g\247\247\36\211\236\360V\36\222\220_\25\356\216$\350*\27\316\27412M\27K\22\277\372\6\351\\371](1\334B\320\256*\205/\334|\\37/\332l}\244"\224\360\376kJ\330u\260U\16l\270\221\177\324\12\354Q\355^\322\362"U(_`&^\220\315>\201:\12\340A><:K\13X\26y\256[\351\234k\371\335\2730\65\310U1\351\261\264Hc\2\205\14\341\360\367\314\360H\221\336 h:B\263\207\323~\330\32f\225\370\236*\217\23\25k\351\351\12}*\3\246\363x\273\365\4#\361\17\263tCh\34`\337h\363b\274\361\277\3400=fA'\303\231\344\12\177c{\7\23\340r\3277\232\314\344\26\30\275\271\25\3\177$\265)\2\312X&h>z:\264\236W\343\336"\200\375\346\37\359\371v\20\340>'R+$:.\263\231\245*n\221x\224#\314C\2\334\3522\3738\353n\207*\306\12\277\264\202\327:\332b\367\355\323\275yG\33nw\3166!G#\215\252!\266\206/\350\13'+\273T&\362'\266\375\335", 22016, 0x0, 0, ... {status=0x0, info=22016}, ) U(_`&^\220\315>\201:\12\340A><:K\13X\26y\256[\351\234k\371\335\2730\65\310U1\351\261\264Hc\2\205\14\341\360\367\314\360H\221\336 h:B\263\207\323~\330\32f\225\370\236*\217\23\25k\351\351\12}*\3\246\363x\273\365\4#\361\17\263tCh\34`\337h\363b\274\361\277\3400=fA'\303\231\344\12\177c{\7\23\340r\3277\232\314\344\26\30\275\271\25\3\177$\265)\2\312X&h>z:\264\236W\343\336 (372, 0, 0, 0, "+\326\270v\362\273m\253\1\5;\2156\@\256!Z\260\22\210\200\226\340h\244,\26\7[\4cnz:d1Y\373a\35!\202\331\325+\343\322Y\354=\17\343\345\370\11,\200Fp\313f\305'\0\362g\247\247\36\211\236\360V\36\222\220_\25\356\216$\350*\27\316\27412M\27K\22\277\372\6\351\\371](1\334B\320\256*\205/\334|\\37/\332l}\244"\224\360\376kJ\330u\260U\16l\270\221\177\324\12\354Q\355^\322\362"U(_`&^\220\315>\201:\12\340A><:K\13X\26y\256[\351\234k\371\335\2730\65\310U1\351\261\264Hc\2\205\14\341\360\367\314\360H\221\336 h:B\263\207\323~\330\32f\225\370\236*\217\23\25k\351\351\12}*\3\246\363x\273\365\4#\361\17\263tCh\34`\337h\363b\274\361\277\3400=fA'\303\231\344\12\177c{\7\23\340r\3277\232\314\344\26\30\275\271\25\3\177$\265)\2\312X&h>z:\264\236W\343\336"\200\375\346\37\359\371v\20\340>'R+$:.\263\231\245*n\221x\224#\314C\2\334\3522\3738\353n\207*\306\12\277\264\202\327:\332b\367\355\323\275yG\33nw\3166!G#\215\252!\266\206/\350\13'+\273T&\362'\266\375\335", 22016, 0x0, 0, ... {status=0x0, info=22016}, ) , 22016, 0x0, 0, ... {status=0x0, info=22016}, ) == 0x0
 02610   316   NtUnmapViewOfSection  (-1, 0x7090000, ... ) == 0x0
 02611   316   NtSetInformationFile  (372, 15267844, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02612   316   NtClose  (368, ... ) == 0x0
 02613   316   NtClose  (372, ... ) == 0x0
 02614   316   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\c:\windows\system32"}, 3, 33, ... 372, {status=0x0, info=1}, ) }, 3, 33, ... 372, {status=0x0, info=1}, ) == 0x0
 02615   316   NtQueryVolumeInformationFile  (372, 15268036, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02616   316   NtClose  (84, ... ) == 0x0
 02617   316   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02618   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\windows\system32\ieupdate.exe"}, 15264476, ... ) }, 15264476, ... ) == 0x0
 02619   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\windows\system32\ieupdate.exe"}, 15265168, ... ) }, 15265168, ... ) == 0x0
 02620   316   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\c:\windows\system32\ieupdate.exe"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 02621   316   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 84, ... 368, ) == 0x0
 02622   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02623   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 376, ) }, ... 376, ) == 0x0
 02624   316   NtQueryValueKey  (376,  (376, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02625   316   NtClose  (376, ... ) == 0x0
 02626   316   NtQueryVolumeInformationFile  (84, 15264476, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02627   316   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 376, ) }, ... 376, ) == 0x0
 02628   316   NtWaitForSingleObject  (376, 0, {-1000000, -1}, ... ) == 0x0
 02629   316   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 380, ) }, ... 380, ) == 0x0
 02630   316   NtMapViewOfSection  (380, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x6f30000), {0, 0}, 57344, ) == 0x0
 02631   316   NtReleaseMutant  (376, ... 0x0, ) == 0x0
 02632   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 15262460, ... ) }, 15262460, ... ) == 0x0
 02633   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 384, {status=0x0, info=1}, ) }, 5, 96, ... 384, {status=0x0, info=1}, ) == 0x0
 02634   316   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 384, ... 388, ) == 0x0
 02635   316   NtClose  (384, ... ) == 0x0
 02636   316   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x7090000), 0x0, 106496, ) == 0x0
 02637   316   NtClose  (388, ... ) == 0x0
 02638   316   NtUnmapViewOfSection  (-1, 0x7090000, ... ) == 0x0
 02639   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 15262776, ... ) }, 15262776, ... ) == 0x0
 02640   316   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02641   316   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 388, ... 384, ) == 0x0
 02642   316   NtQuerySection  (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02643   316   NtClose  (388, ... ) == 0x0
 02644   316   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02645   316   NtClose  (384, ... ) == 0x0
 02646   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02647   316   NtQueryInformationFile  (384, 15263064, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02648   316   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 384, ... 388, ) == 0x0
 02649   316   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x7110000), 0x0, 1028096, ) == 0x0
 02650   316   NtQueryInformationFile  (384, 15263160, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02651   316   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02652   316   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02653   316   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02654   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\windows\system32\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02655   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15260724, 616, BothDirectory, 1,  (392, 0, 0, 0, 15260724, 616, BothDirectory, 1, "ieupdate.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02656   316   NtClose  (392, ... ) == 0x0
 02657   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02658   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02659   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\windows\system32\ieupdate.exe"}, 15260112, ... ) }, 15260112, ... ) == 0x0
 02660   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02661   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15259472, 616, BothDirectory, 1,  (392, 0, 0, 0, 15259472, 616, BothDirectory, 1, "windows", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02662   316   NtClose  (392, ... ) == 0x0
 02663   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\windows\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02664   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15259472, 616, BothDirectory, 1,  (392, 0, 0, 0, 15259472, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02665   316   NtClose  (392, ... ) == 0x0
 02666   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\windows\system32\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02667   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15259472, 616, BothDirectory, 1,  (392, 0, 0, 0, 15259472, 616, BothDirectory, 1, "ieupdate.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02668   316   NtClose  (392, ... ) == 0x0
 02669   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02670   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02671   316   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02672   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02673   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02674   316   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02675   316   NtClose  (392, ... ) == 0x0
 02676   316   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02677   316   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ieupdate.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02679   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02680   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\windows\system32\ieupdate.exe"}, 15262392, ... ) }, 15262392, ... ) == 0x0
 02681   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02682   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15261752, 616, BothDirectory, 1,  (392, 0, 0, 0, 15261752, 616, BothDirectory, 1, "windows", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02683   316   NtClose  (392, ... ) == 0x0
 02684   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\windows\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02685   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15261752, 616, BothDirectory, 1,  (392, 0, 0, 0, 15261752, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02686   316   NtClose  (392, ... ) == 0x0
 02687   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\windows\system32\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02688   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15261752, 616, BothDirectory, 1,  (392, 0, 0, 0, 15261752, 616, BothDirectory, 1, "ieupdate.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02689   316   NtClose  (392, ... ) == 0x0
 02690   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02691   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02692   316   NtWaitForSingleObject  (376, 0, {-1000000, -1}, ... ) == 0x0
 02693   316   NtQueryVolumeInformationFile  (84, 15263036, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02694   316   NtQueryInformationFile  (84, 15263016, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02695   316   NtQueryInformationFile  (84, 15263056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02696   316   NtReleaseMutant  (376, ... 0x0, ) == 0x0
 02697   316   NtUnmapViewOfSection  (-1, 0x7110000, ... ) == 0x0
 02698   316   NtClose  (388, ... ) == 0x0
 02699   316   NtClose  (384, ... ) == 0x0
 02700   316   NtQuerySection  (368, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02701   316   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieupdate.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02702   316   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02703   316   NtOpenProcessToken  (-1, 0xa, ... 384, ) == 0x0
 02704   316   NtQueryInformationToken  (384, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02705   316   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02706   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02707   316   NtQueryValueKey  (388,  (388, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (388, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02708   316   NtQueryValueKey  (388,  (388, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (388, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02709   316   NtClose  (388, ... ) == 0x0
 02710   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02711   316   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02712   316   NtQueryValueKey  (388,  (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (388, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02713   316   NtClose  (388, ... ) == 0x0
 02714   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02715   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02716   316   NtQueryValueKey  (388,  (388, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02717   316   NtClose  (388, ... ) == 0x0
 02718   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02719   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02720   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02721   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02722   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02723   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02724   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02725   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02726   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02727   316   NtQueryDefaultLocale  (1, 15263848, ... ) == 0x0
 02728   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 388, ) }, ... 388, ) == 0x0
 02729   316   NtEnumerateKey  (388, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (388, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02730   316   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 392, ) }, ... 392, ) == 0x0
 02731   316   NtQueryValueKey  (392,  (392, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (392, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02732   316   NtQueryValueKey  (392,  (392, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (392, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02733   316   NtClose  (392, ... ) == 0x0
 02734   316   NtEnumerateKey  (388, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02735   316   NtClose  (388, ... ) == 0x0
 02736   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02737   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02738   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02739   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02741   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02742   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02743   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02744   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02745   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02746   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02747   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02748   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02749   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02750   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02751   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02752   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02753   316   NtClose  (388, ... ) == 0x0
 02754   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02755   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02756   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02757   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02758   316   NtClose  (388, ... ) == 0x0
 02759   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02761   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02762   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02763   316   NtClose  (388, ... ) == 0x0
 02764   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02765   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02766   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02767   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02768   316   NtClose  (388, ... ) == 0x0
 02769   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02771   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02772   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02773   316   NtClose  (388, ... ) == 0x0
 02774   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02775   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02776   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02777   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02778   316   NtClose  (388, ... ) == 0x0
 02779   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02780   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02781   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02782   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02783   316   NtClose  (388, ... ) == 0x0
 02784   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02786   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02787   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02788   316   NtClose  (388, ... ) == 0x0
 02789   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02790   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02791   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02792   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02793   316   NtClose  (388, ... ) == 0x0
 02794   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02795   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02796   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02797   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02798   316   NtClose  (388, ... ) == 0x0
 02799   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02800   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02801   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02802   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02803   316   NtClose  (388, ... ) == 0x0
 02804   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02805   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02806   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02807   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02808   316   NtClose  (388, ... ) == 0x0
 02809   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02810   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02811   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02812   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02813   316   NtClose  (388, ... ) == 0x0
 02814   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02815   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02816   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02817   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02818   316   NtClose  (388, ... ) == 0x0
 02819   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02821   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02822   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02823   316   NtClose  (388, ... ) == 0x0
 02824   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02825   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02826   316   NtQueryValueKey  (388,  (388, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (388, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (388, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02827   316   NtClose  (388, ... ) == 0x0
 02828   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02829   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 02830   316   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02831   316   NtClose  (388, ... ) == 0x0
 02832   316   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02833   316   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02834   316   NtOpenProcessToken  (-1, 0xa, ... 388, ) == 0x0
 02835   316   NtDuplicateToken  (388, 0xc, {24, 0, 0x0, 0, 15264368, 0x0}, 0, 2, ... 392, ) == 0x0
 02836   316   NtClose  (388, ... ) == 0x0
 02837   316   NtAccessCheck  (15390272, 392, 0x1, 15264496, 15264440, 56, 15264524, ... (0x1), ) == 0x0
 02838   316   NtClose  (392, ... ) == 0x0
 02839   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 392, ) }, ... 392, ) == 0x0
 02840   316   NtQueryValueKey  (392,  (392, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (392, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02841   316   NtClose  (392, ... ) == 0x0
 02842   316   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 392, ) }, ... 392, ) == 0x0
 02843   316   NtQuerySymbolicLinkObject  (392, ...  (392, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02844   316   NtClose  (392, ... ) == 0x0
 02845   316   NtQueryInformationFile  (84, 15262828, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 02846   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02847   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02848   316   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieupdate.exe"}, 15261508, ... ) }, 15261508, ... ) == 0x0
 02849   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02850   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15260868, 616, BothDirectory, 1,  (392, 0, 0, 0, 15260868, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02851   316   NtClose  (392, ... ) == 0x0
 02852   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02853   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15260868, 616, BothDirectory, 1,  (392, 0, 0, 0, 15260868, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02854   316   NtClose  (392, ... ) == 0x0
 02855   316   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02856   316   NtQueryDirectoryFile  (392, 0, 0, 0, 15260868, 616, BothDirectory, 1,  (392, 0, 0, 0, 15260868, 616, BothDirectory, 1, "ieupdate.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02857   316   NtClose  (392, ... ) == 0x0
 02858   316   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02859   316   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02860   316   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02861   316   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 392, ) == 0x0
 02862   316   NtQueryInformationToken  (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02863   316   NtClose  (392, ... ) == 0x0
 02864   316   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 02865   316   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 388, ) }, ... 388, ) == 0x0
 02866   316   NtClose  (392, ... ) == 0x0
 02867   316   NtQueryValueKey  (388,  (388, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02868   316   NtQueryValueKey  (388,  (388, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (388, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02869   316   NtClose  (388, ... ) == 0x0
 02870   316   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 118030336, 4096, ) == 0x0
 02871   316   NtAllocateVirtualMemory  (-1, 118030336, 0, 4096, 4096, 4, ... 118030336, 4096, ) == 0x0
 02872   316   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 388, ) }, ... 388, ) == 0x0
 02873   316   NtQueryValueKey  (388,  (388, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02874   316   NtClose  (388, ... ) == 0x0
 02875   316   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02876   316   NtQueryInformationToken  (384, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02877   316   NtQueryInformationToken  (384, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02878   316   NtClose  (384, ... ) == 0x0
 02879   316   NtCreateProcessEx  (15267104, 2035711, 0, -1, 0, 368, 0, 0, 0, ... ) == 0x0
 02880   316   NtQueryInformationProcess  (384, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=636,ParentPid=312,}, 0x0, ) == 0x0
 02881   316   NtReadVirtualMemory  (384, 0x7ffdf008, 4, ...  (384, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02882   316   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\c:\windows\system32\ieupdate.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883   316   NtAllocateVirtualMemory  (-1, 15392768, 0, 8192, 4096, 4, ... 15392768, 8192, ) == 0x0
 02884   316   NtReadVirtualMemory  (384, 0x400000, 4096, ...  (384, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0O\27\272\235\13v\324\316\13v\324\316\13v\324\316\16z\333\316\23v\324\316\30~\275\316\10v\324\316\30~\211\316\11v\324\316\16z\213\316\213v\324\316\361U\315\316\11v\324\316\13v\325\316\244v\324\316\210~\211\316\2v\324\316\13v\324\316\10v\324\316\16z\264\316=v\324\316\16z\216\316\12v\324\316Rich\13v\324\316\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\266\200\5E\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0@\1\0\0\20\0\0\0\260\6\0\20\375\7\0\0\300\6\0\0\0\10\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\10\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\240\0\0\20\0\0\0\0\240\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0p\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0", 4096, ) , 4096, ) == 0x0
 02885   316   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02886   316   NtQueryInformationProcess  (384, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=636,ParentPid=312,}, 0x0, ) == 0x0
 02887   316   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 118095872, 4096, ) == 0x0
 02888   316   NtAllocateVirtualMemory  (384, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02889   316   NtWriteVirtualMemory  (384, 0x10000,  (384, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02890   316   NtAllocateVirtualMemory  (384, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02891   316   NtWriteVirtualMemory  (384, 0x20000,  (384, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0(\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0@\0B\0\230\5\0\0D\0F\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0@\0B\0$\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) , 1676, ... 0x0, ) == 0x0
 02892   316   NtWriteVirtualMemory  (384, 0x7ffdf010,  (384, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02893   316   NtWriteVirtualMemory  (384, 0x7ffdf1e8,  (384, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02894   316   NtFreeVirtualMemory  (-1, (0x70a0000), 0, 32768, ... (0x70a0000), 4096, ) == 0x0
 02895   316   NtAllocateVirtualMemory  (384, 0, 0, 10485760, 8192, 4, ... 4784128, 10485760, ) == 0x0
 02896   316   NtAllocateVirtualMemory  (384, 15261696, 0, 8192, 4096, 4, ... 15261696, 8192, ) == 0x0
 02897   316   NtProtectVirtualMemory  (384, (0xe8e000), 4096, 260, ... (0xe8e000), 4096, 4, ) == 0x0
 02898   316   NtCreateThread  (0x1f03ff, 0x0, 384, 15265368, 15266088, 1, ... 388, {636, 732}, ) == 0x0
 02899   316   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 15272040, 15269888, 15345792, 15267188}  (24, {168, 196, new_msg, 0, 15272040, 15269888, 15345792, 15267188} "\0\0\0\0\0\0\1\0\2$\370w U\367w\203\1\0\0\204\1\0\0|\2\0\0\334\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0h\370\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0n\1c\0:\0" ... {168, 196, reply, 0, 312, 316, 1550, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\200\1\0\0\204\1\0\0|\2\0\0\334\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0h\370\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0n\1c\0:\0" )  ... {168, 196, reply, 0, 312, 316, 1550, 0}  (24, {168, 196, new_msg, 0, 15272040, 15269888, 15345792, 15267188} "\0\0\0\0\0\0\1\0\2$\370w U\367w\203\1\0\0\204\1\0\0|\2\0\0\334\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0h\370\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0n\1c\0:\0" ... {168, 196, reply, 0, 312, 316, 1550, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\200\1\0\0\204\1\0\0|\2\0\0\334\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0h\370\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0n\1c\0:\0" )  ) == 0x0
 02900   316   NtResumeThread  (388, ... 1, ) == 0x0
 02901   316   NtClose  (84, ... ) == 0x0
 02902   316   NtClose  (368, ... ) == 0x0
 02903   316   NtQueryInformationProcess  (384, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=636,ParentPid=312,}, 0x0, ) == 0x0
 02904   316   NtUserWaitForInputIdle  (636, 30000, 0, ...
 02905   316   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 368, ) == 0x0
 02906   316   NtClose  (368, ... ) == 0x0
 01177   596   NtUserMessageCall  ... ) == 0x0
 02907   596   NtWaitForMultipleObjects  (2, (160, 144, ), 1, 0, 0x0, ... ) == 0x0
 02908   596   NtNotifyChangeDirectoryFile  (160, 0, 0, 0, 2012047152, 2012047168, 32, 3, 1, ... ) == 0x103
 02909   596   NtUserMessageCall  (0x200b0, WM_USER+0x66, 0x0, 0x0, 0, 688, 0, ... ) == 0x0
 02910   596   NtWaitForMultipleObjects  (2, (160, 144, ), 1, 0, 0x0, ... ) == 0x0
 02911   596   NtNotifyChangeDirectoryFile  (160, 0, 0, 0, 2012047152, 2012047168, 32, 3, 1, ... ) == 0x103
 02912   596   NtUserMessageCall  (0x200b0, WM_USER+0x66, 0x0, 0x0, 0, 688, 0, ... ) == 0x0
 02913   596   NtWaitForMultipleObjects  (2, (160, 144, ), 1, 0, 0x0, ...
 02904   316   NtUserWaitForInputIdle  ... ) == 0x102
 02914   316   NtClose  (384, ... ) == 0x0
 02915   316   NtClose  (388, ... ) == 0x0
 02916   316   NtYieldExecution  (... ) == STATUS_NO_YIELD_PERFORMED
 02917   316   NtClose  (348, ... ) == 0x0
 02918   316   NtClose  (344, ... ) == 0x0
 02919   316   NtYieldExecution  (... ) == STATUS_NO_YIELD_PERFORMED
 02920   316   NtClose  (356, ... ) == 0x0
 02921   316   NtClose  (352, ... ) == 0x0
 02922   316   NtSetEvent  (336, ... 0x0, ) == 0x0
 02923   316   NtClose  (336, ... ) == 0x0
 02924   316   NtSetEvent  (288, ... 0x0, ) == 0x0
 02925   316   NtClose  (288, ... ) == 0x0
 02926   316   NtSetEvent  (328, ... 0x0, ) == 0x0
 02927   316   NtClose  (328, ... ) == 0x0
 02928   316   NtSetEvent  (360, ... 0x0, ) == 0x0
 02929   316   NtClose  (360, ... ) == 0x0
 02930   316   NtFreeVirtualMemory  (-1, (0x1b90000), 0, 32768, ... (0x1b90000), 76804096, ) == 0x0
 02931   316   NtSetEvent  (100, ... 0x0, ) == 0x0
 02932   316   NtClose  (100, ... ) == 0x0
 02933   316   NtClose  (88, ... ) == 0x0
 02934   316   NtClose  (92, ... ) == 0x0
 02935   316   NtClose  (96, ... ) == 0x0
 02936   316   NtSetEvent  (12, ... 0x0, ) == 0x0
 02937   316   NtClose  (12, ... ) == 0x0
 02938   316   NtSetEvent  (332, ... 0x0, ) == 0x0
 02939   316   NtClose  (332, ... ) == 0x0
 02940   316   NtSetEvent  (324, ... 0x0, ) == 0x0
 02941   316   NtClose  (324, ... ) == 0x0
 02942   316   NtFreeVirtualMemory  (-1, (0x70b0000), 0, 32768, ... (0x70b0000), 86016, ) == 0x0
 02943   316   NtFreeVirtualMemory  (-1, (0x344000), 24576, 16384, ... (0x344000), 24576, ) == 0x0
 02944   316   NtClose  (68, ... ) == 0x0
 02945   316   NtFreeVirtualMemory  (-1, (0x6f97000), 4096, 16384, ... (0x6f97000), 4096, ) == 0x0
 02946   316   NtFreeVirtualMemory  (-1, (0x34b000), 4096, 16384, ... (0x34b000), 4096, ) == 0x0
 02947   316   NtTerminateProcess  (0, 0, ...
 02913   596   NtWaitForMultipleObjects  ... ) == 0xc0
 02947   316   NtTerminateProcess  ... ) == 0x0
 02948   316   NtFreeVirtualMemory  (-1, (0x6f50000), 0, 32768, ... (0x6f50000), 262144, ) == 0x0
 02949   316   NtUserUnregisterClass  (15268860, 1991376896, 15268848, ... ) == 0x0
 02950   316   NtUserRegisterWindowMessage  ( ("WM_IDENTITY_CHANGED", ... ) , ... ) == 0xc0cc
 02951   316   NtUserRegisterWindowMessage  ( ("WM_QUERY_IDENTITY_CHANGE", ... ) , ... ) == 0xc0cd
 02952   316   NtUserRegisterWindowMessage  ( ("WM_IDENTITY_INFO_CHANGED", ... ) , ... ) == 0xc0ce
 02953   316   NtClose  (280, ... ) == 0x0
 02954   316   NtUnmapViewOfSection  (-1, 0x6f40000, ... ) == 0x0
 02955   316   NtClose  (284, ... ) == 0x0
 02956   316   NtUnmapViewOfSection  (-1, 0x3d0000, ... ) == 0x0
 02957   316   NtClose  (272, ... ) == 0x0
 02958   316   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 16384, ... (0x3f0000), 4096, ) == 0x0
 02959   316   NtFreeVirtualMemory  (-1, (0x3f0000), 0, 32768, ... (0x3f0000), 65536, ) == 0x0
 02960   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02961   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02962   316   NtUnmapViewOfSection  (-1, 0x64d0000, ... ) == 0x0
 02963   316   NtClose  (140, ... ) == 0x0
 02964   316   NtGdiDeleteObjectApp  (286262283, ... ) == 0x1
 02965   316   NtUserGetProcessWindowStation  (... ) == 0x28
 02966   316   NtUserBuildNameList  (40, 256, 15313688, 15268900, ... ) == 0x0
 02967   316   NtUserGetProcessWindowStation  (... ) == 0x28
 02968   316   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x8c
 02969   316   NtUserBuildHwndList  (140, 0, 0, 0, 64, ... (0x10066, 0x100e4, 0x100ac, 0x100aa, 0x100a8, 0x100a4, 0x20062, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x3003e, 0x1009e, 0x10092, 0x1007e, 0x10026, 0x100e0, 0x100d8, 0x100c8, 0x200b0, 0x100c2, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b4, 0x100b2, 0x100a2, 0x100ea, 0x200e8, 0x100da, 0x100ce, 0x100cc, 0x100ae, 0x2005e, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 44, ) == 0x0
 02970   316   NtUserQueryWindow  (65638, 0, ... ) == 0x7d4
 02971   316   NtUserQueryWindow  (65638, 1, ... ) == 0x7e4
 02972   316   NtUserQueryWindow  (65764, 0, ... ) == 0x7d4
 02973   316   NtUserQueryWindow  (65764, 1, ... ) == 0x7e4
 02974   316   NtUserQueryWindow  (65708, 0, ... ) == 0xd0
 02975   316   NtUserQueryWindow  (65708, 1, ... ) == 0xd4
 02976   316   NtUserQueryWindow  (65706, 0, ... ) == 0xd0
 02977   316   NtUserQueryWindow  (65706, 1, ... ) == 0xd4
 02978   316   NtUserQueryWindow  (65704, 0, ... ) == 0xd0
 02979   316   NtUserQueryWindow  (65704, 1, ... ) == 0xd4
 02980   316   NtUserQueryWindow  (65700, 0, ... ) == 0xd0
 02981   316   NtUserQueryWindow  (65700, 1, ... ) == 0xd4
 02982   316   NtUserQueryWindow  (131170, 0, ... ) == 0x7d4
 02983   316   NtUserQueryWindow  (131170, 1, ... ) == 0x7e4
 02984   316   NtUserQueryWindow  (65664, 0, ... ) == 0x7d4
 02985   316   NtUserQueryWindow  (65664, 1, ... ) == 0x7e4
 02986   316   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x1008c, 0x1008e, 0x10090, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009c, 0x100a0, 0x2005c, 0x20064, 0x1, ), 13, ) == 0x0
 02987   316   NtUserQueryWindow  (65666, 0, ... ) == 0x7d4
 02988   316   NtUserQueryWindow  (65666, 1, ... ) == 0x7e4
 02989   316   NtUserQueryWindow  (65676, 0, ... ) == 0x7d4
 02990   316   NtUserQueryWindow  (65676, 1, ... ) == 0x7e4
 02991   316   NtUserQueryWindow  (65678, 0, ... ) == 0x7d4
 02992   316   NtUserQueryWindow  (65678, 1, ... ) == 0x7e4
 02993   316   NtUserQueryWindow  (65680, 0, ... ) == 0x7d4
 02994   316   NtUserQueryWindow  (65680, 1, ... ) == 0x7e4
 02995   316   NtUserQueryWindow  (65684, 0, ... ) == 0x7d4
 02996   316   NtUserQueryWindow  (65684, 1, ... ) == 0x7e4
 02997   316   NtUserQueryWindow  (65686, 0, ... ) == 0x7d4
 02998   316   NtUserQueryWindow  (65686, 1, ... ) == 0x7e4
 02999   316   NtUserQueryWindow  (65688, 0, ... ) == 0x7d4
 03000   316   NtUserQueryWindow  (65688, 1, ... ) == 0x7e4
 03001   316   NtUserQueryWindow  (65690, 0, ... ) == 0x7d4
 03002   316   NtUserQueryWindow  (65690, 1, ... ) == 0x7e4
 03003   316   NtUserQueryWindow  (65692, 0, ... ) == 0x7d4
 03004   316   NtUserQueryWindow  (65692, 1, ... ) == 0x7e4
 03005   316   NtUserQueryWindow  (65696, 0, ... ) == 0x7d4
 03006   316   NtUserQueryWindow  (65696, 1, ... ) == 0x7e4
 03007   316   NtUserQueryWindow  (131164, 0, ... ) == 0x7d4
 03008   316   NtUserQueryWindow  (131164, 1, ... ) == 0x7e4
 03009   316   NtUserQueryWindow  (131172, 0, ... ) == 0x7d4
 03010   316   NtUserQueryWindow  (131172, 1, ... ) == 0x7e4
 03011   316   NtUserQueryWindow  (65654, 0, ... ) == 0x7d4
 03012   316   NtUserQueryWindow  (65654, 1, ... ) == 0x7e4
 03013   316   NtUserQueryWindow  (65642, 0, ... ) == 0x7d4
 03014   316   NtUserQueryWindow  (65642, 1, ... ) == 0x7e4
 03015   316   NtUserQueryWindow  (196684, 0, ... ) == 0x7d4
 03016   316   NtUserQueryWindow  (196684, 1, ... ) == 0x7e4
 03017   316   NtUserQueryWindow  (65640, 0, ... ) == 0x7d4
 03018   316   NtUserQueryWindow  (65640, 1, ... ) == 0x7e4
 03019   316   NtUserQueryWindow  (196670, 0, ... ) == 0x7d4
 03020   316   NtUserQueryWindow  (196670, 1, ... ) == 0x7e4
 03021   316   NtUserBuildHwndList  (0, 196670, 1, 0, 64, ... (0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x3004a, 0x1006c, 0x10070, 0x10074, 0x1, ), 10, ) == 0x0
 03022   316   NtUserQueryWindow  (196674, 0, ... ) == 0x7d4
 03023   316   NtUserQueryWindow  (196674, 1, ... ) == 0x7e4
 03024   316   NtUserQueryWindow  (196672, 0, ... ) == 0x7d4
 03025   316   NtUserQueryWindow  (196672, 1, ... ) == 0x7e4
 03026   316   NtUserQueryWindow  (196676, 0, ... ) == 0x7d4
 03027   316   NtUserQueryWindow  (196676, 1, ... ) == 0x7e4
 03028   316   NtUserQueryWindow  (196678, 0, ... ) == 0x7d4
 03029   316   NtUserQueryWindow  (196678, 1, ... ) == 0x7e4
 03030   316   NtUserQueryWindow  (196680, 0, ... ) == 0x7d4
 03031   316   NtUserQueryWindow  (196680, 1, ... ) == 0x7e4
 03032   316   NtUserQueryWindow  (196682, 0, ... ) == 0x7d4
 03033   316   NtUserQueryWindow  (196682, 1, ... ) == 0x7e4
 03034   316   NtUserQueryWindow  (65644, 0, ... ) == 0x7d4
 03035   316   NtUserQueryWindow  (65644, 1, ... ) == 0x7e4
 03036   316   NtUserQueryWindow  (65648, 0, ... ) == 0x7d4
 03037   316   NtUserQueryWindow  (65648, 1, ... ) == 0x7e4
 03038   316   NtUserQueryWindow  (65652, 0, ... ) == 0x7d4
 03039   316   NtUserQueryWindow  (65652, 1, ... ) == 0x7e4
 03040   316   NtUserQueryWindow  (65694, 0, ... ) == 0x7d4
 03041   316   NtUserQueryWindow  (65694, 1, ... ) == 0x7e4
 03042   316   NtUserQueryWindow  (65682, 0, ... ) == 0x7d4
 03043   316   NtUserQueryWindow  (65682, 1, ... ) == 0x7e4
 03044   316   NtUserQueryWindow  (65662, 0, ... ) == 0x7d4
 03045   316   NtUserQueryWindow  (65662, 1, ... ) == 0x7d8
 03046   316   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 03047   316   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 03048   316   NtUserQueryWindow  (65760, 0, ... ) == 0x688
 03049   316   NtUserQueryWindow  (65760, 1, ... ) == 0x69c
 03050   316   NtUserQueryWindow  (65752, 0, ... ) == 0x688
 03051   316   NtUserQueryWindow  (65752, 1, ... ) == 0x69c
 03052   316   NtUserQueryWindow  (65736, 0, ... ) == 0x27c
 03053   316   NtUserQueryWindow  (65736, 1, ... ) == 0x2dc
 03054   316   NtUserRemoveProp  (131248, 43288, ... ) == 0xffffffff
 03055   316   NtUserRemoveProp  (131248, 43282, ... ) == 0x0
 03056   316   NtUserQueryWindow  (65730, 0, ... ) == 0xd8
 03057   316   NtUserQueryWindow  (65730, 1, ... ) == 0xdc
 03058   316   NtUserQueryWindow  (65728, 0, ... ) == 0xd8
 03059   316   NtUserQueryWindow  (65728, 1, ... ) == 0xdc
 03060   316   NtUserQueryWindow  (65726, 0, ... ) == 0xd8
 03061   316   NtUserQueryWindow  (65726, 1, ... ) == 0xdc
 03062   316   NtUserQueryWindow  (65724, 0, ... ) == 0xd8
 03063   316   NtUserQueryWindow  (65724, 1, ... ) == 0xdc
 03064   316   NtUserQueryWindow  (65722, 0, ... ) == 0xd8
 03065   316   NtUserQueryWindow  (65722, 1, ... ) == 0xdc
 03066   316   NtUserQueryWindow  (65720, 0, ... ) == 0xd8
 03067   316   NtUserQueryWindow  (65720, 1, ... ) == 0xdc
 03068   316   NtUserQueryWindow  (65716, 0, ... ) == 0xd8
 03069   316   NtUserQueryWindow  (65716, 1, ... ) == 0xdc
 03070   316   NtUserQueryWindow  (65714, 0, ... ) == 0xd8
 03071   316   NtUserQueryWindow  (65714, 1, ... ) == 0xdc
 03072   316   NtUserQueryWindow  (65698, 0, ... ) == 0xbc
 03073   316   NtUserQueryWindow  (65698, 1, ... ) == 0xa0
 03074   316   NtUserQueryWindow  (65770, 0, ... ) == 0x7d4
 03075   316   NtUserQueryWindow  (65770, 1, ... ) == 0x74c
 03076   316   NtUserQueryWindow  (131304, 0, ... ) == 0x7d4
 03077   316   NtUserQueryWindow  (131304, 1, ... ) == 0x4e4
 03078   316   NtUserQueryWindow  (65754, 0, ... ) == 0x7d4
 03079   316   NtUserQueryWindow  (65754, 1, ... ) == 0x634
 03080   316   NtUserQueryWindow  (65742, 0, ... ) == 0x7d4
 03081   316   NtUserQueryWindow  (65742, 1, ... ) == 0x634
 03082   316   NtUserBuildHwndList  (0, 65742, 1, 0, 64, ... (0x100d0, 0x100d2, 0x100d4, 0x100d6, 0x1, ), 5, ) == 0x0
 03083   316   NtUserQueryWindow  (65744, 0, ... ) == 0x7d4
 03084   316   NtUserQueryWindow  (65744, 1, ... ) == 0x634
 03085   316   NtUserQueryWindow  (65746, 0, ... ) == 0x7d4
 03086   316   NtUserQueryWindow  (65746, 1, ... ) == 0x634
 03087   316   NtUserQueryWindow  (65748, 0, ... ) == 0x7d4
 03088   316   NtUserQueryWindow  (65748, 1, ... ) == 0x634
 03089   316   NtUserQueryWindow  (65750, 0, ... ) == 0x7d4
 03090   316   NtUserQueryWindow  (65750, 1, ... ) == 0x634
 03091   316   NtUserQueryWindow  (65740, 0, ... ) == 0x7d4
 03092   316   NtUserQueryWindow  (65740, 1, ... ) == 0x7e4
 03093   316   NtUserQueryWindow  (65710, 0, ... ) == 0xd0
 03094   316   NtUserQueryWindow  (65710, 1, ... ) == 0xd4
 03095   316   NtUserQueryWindow  (131166, 0, ... ) == 0xc8
 03096   316   NtUserQueryWindow  (131166, 1, ... ) == 0xcc
 03097   316   NtUserQueryWindow  (65646, 0, ... ) == 0x7d4
 03098   316   NtUserQueryWindow  (65646, 1, ... ) == 0x98
 03099   316   NtUserQueryWindow  (327760, 0, ... ) == 0x7d4
 03100   316   NtUserQueryWindow  (327760, 1, ... ) == 0x7d8
 03101   316   NtUserQueryWindow  (262228, 0, ... ) == 0x7d4
 03102   316   NtUserQueryWindow  (262228, 1, ... ) == 0x7d8
 03103   316   NtUserQueryWindow  (327758, 0, ... ) == 0x7d4
 03104   316   NtUserQueryWindow  (327758, 1, ... ) == 0x7d8
 03105   316   NtUserQueryWindow  (65668, 0, ... ) == 0x7d4
 03106   316   NtUserQueryWindow  (65668, 1, ... ) == 0x7d8
 03107   316   NtUserQueryWindow  (65656, 0, ... ) == 0x7d4
 03108   316   NtUserQueryWindow  (65656, 1, ... ) == 0x7d8
 03109   316   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x1007c, 0x1, ), 3, ) == 0x0
 03110   316   NtUserQueryWindow  (65658, 0, ... ) == 0x7d4
 03111   316   NtUserQueryWindow  (65658, 1, ... ) == 0x7d8
 03112   316   NtUserQueryWindow  (65660, 0, ... ) == 0x7d4
 03113   316   NtUserQueryWindow  (65660, 1, ... ) == 0x7d8
 03114   316   NtUserCloseDesktop  (140, ...
 03115   316   NtClose  (140, ... ) == 0x0
 03114   316   NtUserCloseDesktop  ... ) == 0x1
 03116   316   NtUserGetProcessWindowStation  (... ) == 0x28
 03117   316   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03118   316   NtUserGetProcessWindowStation  (... ) == 0x28
 03119   316   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03120   316   NtGdiDeleteObjectApp  (252314602, ... ) == 0x1
 03121   316   NtGdiDeleteObjectApp  (134874085, ... ) == 0x1
 03122   316   NtClose  (120, ... ) == 0x0
 03123   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 03124   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03125   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 03126   316   NtClose  (128, ... ) == 0x0
 03127   316   NtClose  (124, ... ) == 0x0
 03128   316   NtClose  (132, ... ) == 0x0
 03129   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc03b
 03130   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03131   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc03d
 03132   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03133   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc03f
 03134   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03135   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc041
 03136   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03137   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc043
 03138   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03139   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc045
 03140   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03141   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc047
 03142   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03143   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc049
 03144   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03145   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc04b
 03146   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03147   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc04d
 03148   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03149   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc04f
 03150   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03151   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc051
 03152   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03153   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc053
 03154   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03155   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc057
 03156   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03157   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc059
 03158   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03159   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc05b
 03160   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03161   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc05d
 03162   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03163   316   NtUserGetClassInfo  (1999896576, 15268948, 15268900, 15268976, 0, ... ) == 0xc05f
 03164   316   NtUserUnregisterClass  (15268952, 1999896576, 15268940, ... ) == 0x1
 03165   316   NtClose  (108, ... ) == 0x0
 03166   316   NtClose  (116, ... ) == 0x0
 03167   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03168   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03169   316   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 03170   316   NtClose  (112, ... ) == 0x0
 03171   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03172   316   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 03173   316   NtClose  (104, ... ) == 0x0
 03174   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03175   316   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 65536, ) == 0x0
 03176   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc03b
 03177   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03178   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc03d
 03179   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03180   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc03f
 03181   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03182   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc041
 03183   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03184   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc043
 03185   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03186   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc045
 03187   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03188   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc047
 03189   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03190   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc049
 03191   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03192   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc04b
 03193   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03194   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc04d
 03195   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03196   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc04f
 03197   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03198   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc051
 03199   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03200   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc053
 03201   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03202   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc057
 03203   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03204   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc059
 03205   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03206   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc05b
 03207   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03208   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc05d
 03209   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03210   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc05f
 03211   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03212   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc017
 03213   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03214   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc019
 03215   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03216   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc018
 03217   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03218   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc01a
 03219   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03220   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc01c
 03221   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03222   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc01e
 03223   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03224   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc01b
 03225   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03226   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc068
 03227   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03228   316   NtUserGetClassInfo  (1905590272, 15268948, 15268900, 15268976, 0, ... ) == 0xc06a
 03229   316   NtUserUnregisterClass  (15268952, 1905590272, 15268940, ... ) == 0x1
 03230   316   NtUnmapViewOfSection  (-1, 0x350000, ... ) == 0x0
 03231   316   NtClose  (76, ... ) == 0x0
 03232   316   NtClose  (64, ... ) == 0x0
 03233   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03234   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 03235   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03236   316   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03237   316   NtClose  (168, ... ) == 0x0
 03238   316   NtFreeVirtualMemory  (-1, (0x7090000), 4096, 32768, ... (0x7090000), 4096, ) == 0x0
 03239   316   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 15277704, 8, 16, 0}  (24, {20, 48, new_msg, 0, 15277704, 8, 16, 0} "\0\0\0\0\3\0\1\0h84\0x\266\371\6\0\0\0\0" ... {20, 48, reply, 0, 312, 316, 1792, 0} "\0\0\0\0\3\0\1\0\0\0\0\0x\266\371\6\0\0\0\0" )  ... {20, 48, reply, 0, 312, 316, 1792, 0}  (24, {20, 48, new_msg, 0, 15277704, 8, 16, 0} "\0\0\0\0\3\0\1\0h84\0x\266\371\6\0\0\0\0" ... {20, 48, reply, 0, 312, 316, 1792, 0} "\0\0\0\0\3\0\1\0\0\0\0\0x\266\371\6\0\0\0\0" )  ) == 0x0
 03240   316   NtTerminateProcess  (-1, 0, ...
 03241   316   NtClose  (44, ... ) == 0x0
NtCreateProcessEx(>)	1	NtGdiHfontCreate(>)	2	NtSetInformationObject(>)	5	NtQueryKey(>)	20
NtDuplicateToken(>)	1	NtOpenDirectoryObject(>)	2	NtUserBuildHwndList(>)	5	NtQueryDefaultLocale(>)	24
NtEnumerateValueKey(>)	1	NtOpenMutant(>)	2	NtUserGetProcessWindowStation(>)	5	NtCreateFile(>)	26
NtFindAtom(>)	1	NtOpenProcess(>)	2	NtOpenProcessToken(>)	6	NtCreateKey(>)	27
NtGdiCreateBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtWaitForMultipleObjects(>)	6	NtRequestWaitReplyPort(>)	27
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtEnumerateKey(>)	7	NtProtectVirtualMemory(>)	28
NtGdiInit(>)	1	NtQuerySymbolicLinkObject(>)	2	NtFsControlFile(>)	7	NtQueryDebugFilterState(>)	30
NtGdiQueryFontAssocInfo(>)	1	NtQueryVirtualMemory(>)	2	NtOpenEvent(>)	7	NtOpenSection(>)	35
NtGdiSelectBitmap(>)	1	NtReadVirtualMemory(>)	2	NtUserCallNoParam(>)	7	NtUnmapViewOfSection(>)	35
NtOpenKeyedEvent(>)	1	NtRegisterThreadTerminatePort(>)	2	NtQueryVolumeInformationFile(>)	8	NtCreateSection(>)	39
NtQueryEvent(>)	1	NtResumeThread(>)	2	NtUserMessageCall(>)	8	NtSetInformationFile(>)	40
NtQueryInformationJobObject(>)	1	NtTestAlert(>)	2	NtSetInformationProcess(>)	10	NtCreateEvent(>)	42
NtQueryInformationThread(>)	1	NtUserCloseDesktop(>)	2	NtUserGetWindowDC(>)	10	NtUserUnregisterClass(>)	46
NtQueryObject(>)	1	NtUserGetObjectInformation(>)	2	NtUserRegisterWindowMessage(>)	10	NtOpenProcessTokenEx(>)	47
NtQueryPerformanceCounter(>)	1	NtUserRemoveProp(>)	2	NtQueryDirectoryFile(>)	11	NtOpenThreadTokenEx(>)	47
NtQuerySystemTime(>)	1	NtUserWaitForInputIdle(>)	2	NtFreeVirtualMemory(>)	12	NtUserFindExistingCursorIcon(>)	48
NtSecureConnectPort(>)	1	NtYieldExecution(>)	2	NtUserCallOneParam(>)	12	NtQueryInformationToken(>)	54
NtUserBuildNameList(>)	1	NtDeleteValueKey(>)	3	NtUserSystemParametersInfo(>)	12	NtOpenFile(>)	60
NtUserGetAtomName(>)	1	NtGdiCreateCompatibleDC(>)	3	NtDuplicateObject(>)	13	NtMapViewOfSection(>)	63
NtUserGetDC(>)	1	NtGdiDeleteObjectApp(>)	3	NtFlushInstructionCache(>)	13	NtUserRegisterClassExWOW(>)	65
NtUserGetGUIThreadInfo(>)	1	NtTerminateProcess(>)	3	NtReleaseMutant(>)	13	NtQueryAttributesFile(>)	74
NtUserGetThreadDesktop(>)	1	NtUserOpenDesktop(>)	3	NtDeviceIoControlFile(>)	16	NtAllocateVirtualMemory(>)	81
NtUserSetWindowLong(>)	1	NtCreateMutant(>)	4	NtNotifyChangeKey(>)	16	NtQuerySystemInformation(>)	90
NtAccessCheck(>)	2	NtNotifyChangeDirectoryFile(>)	4	NtQueryDefaultUILanguage(>)	16	NtUserGetClassInfo(>)	98
NtAddAtom(>)	2	NtOpenThreadToken(>)	4	NtSetInformationThread(>)	16	NtUserQueryWindow(>)	138
NtCallbackReturn(>)	2	NtUserCreateWindowEx(>)	4	NtQuerySection(>)	17	NtQueryValueKey(>)	179
NtContinue(>)	2	NtUserSetProp(>)	4	NtReadFile(>)	18	NtOpenKey(>)	287
NtCreateIoCompletion(>)	2	NtWriteVirtualMemory(>)	4	NtQueryInformationFile(>)	19	NtSetEvent(>)	336
NtCreateSemaphore(>)	2	NtConnectPort(>)	5	NtSetValueKey(>)	19	NtWaitForSingleObject(>)	346
NtCreateThread(>)	2	NtDelayExecution(>)	5	NtWriteFile(>)	19	NtClose(>)	360
NtGdiCreateSolidBrush(>)	2	NtGdiGetStockObject(>)	5	NtQueryInformationProcess(>)	20