Summary:





NtAddAtom(>)  1 
NtDuplicateObject(>)  2 
NtOpenProcessToken(>)  6 
NtQueryDebugFilterState(>)  23 


NtCallbackReturn(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetEvent(>)  6 
NtQueryInformationFile(>)  23 


NtCreateProcessEx(>)  1 
NtGdiHfontCreate(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtOpenProcessTokenEx(>)  31 


NtCreateThread(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateMutant(>)  7 
NtOpenThreadTokenEx(>)  31 


NtDelayExecution(>)  1 
NtOpenProcess(>)  2 
NtDeviceIoControlFile(>)  7 
NtProtectVirtualMemory(>)  31 


NtDuplicateToken(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtQueryDirectoryFile(>)  7 
NtQuerySystemInformation(>)  33 


NtEnumerateValueKey(>)  1 
NtQueryInstallUILanguage(>)  2 
NtSetInformationProcess(>)  8 
NtQuerySection(>)  34 


NtFsControlFile(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtUserCallNoParam(>)  9 
NtWaitForSingleObject(>)  37 


NtGdiCreateBitmap(>)  1 
NtReadVirtualMemory(>)  2 
NtCreateSemaphore(>)  10 
NtQueryInformationToken(>)  38 


NtGdiCreatePatternBrushInternal(>)  1 
NtTerminateProcess(>)  2 
NtOpenMutant(>)  10 
NtCreateSection(>)  46 


NtGdiInit(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtUserUnregisterClass(>)  46 


NtGdiQueryFontAssocInfo(>)  1 
NtClearEvent(>)  3 
NtUserGetWindowDC(>)  10 
NtReleaseMutant(>)  48 


NtGdiSelectBitmap(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtCreateKey(>)  11 
NtUserFindExistingCursorIcon(>)  48 


NtOpenKeyedEvent(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtUserSystemParametersInfo(>)  11 
NtQueryVirtualMemory(>)  52 


NtQueryEvent(>)  1 
NtNotifyChangeKey(>)  3 
NtUserCallOneParam(>)  12 
NtFreeVirtualMemory(>)  55 


NtQueryInformationJobObject(>)  1 
NtOpenEvent(>)  3 
NtRequestWaitReplyPort(>)  13 
NtOpenSection(>)  57 


NtQueryObject(>)  1 
NtReleaseSemaphore(>)  3 
NtFlushInstructionCache(>)  15 
NtUserRegisterClassExWOW(>)  63 


NtQueryTimerResolution(>)  1 
NtUserGetObjectInformation(>)  3 
NtSetValueKey(>)  15 
NtMapViewOfSection(>)  73 


NtRegisterThreadTerminatePort(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryInformationProcess(>)  16 
NtOpenFile(>)  79 


NtResumeThread(>)  1 
NtWaitForMultipleObjects(>)  3 
NtSetInformationThread(>)  16 
NtUserGetClassInfo(>)  82 


NtSecureConnectPort(>)  1 
NtQueryKey(>)  4 
NtSetInformationFile(>)  17 
NtUserQueryWindow(>)  112 


NtTestAlert(>)  1 
NtSetInformationObject(>)  4 
NtQueryVolumeInformationFile(>)  18 
NtQueryAttributesFile(>)  133 


NtUserBuildNameList(>)  1 
NtUserBuildHwndList(>)  4 
NtContinue(>)  20 
NtAllocateVirtualMemory(>)  194 


NtUserGetDC(>)  1 
NtWriteFile(>)  4 
NtUnmapViewOfSection(>)  20 
NtOpenKey(>)  205 


NtUserGetGUIThreadInfo(>)  1 
NtWriteVirtualMemory(>)  4 
NtUserRegisterWindowMessage(>)  20 
NtQueryValueKey(>)  341 


NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  21 
NtClose(>)  356 


NtAccessCheck(>)  2 
NtOpenThreadToken(>)  5 
NtQueryDefaultLocale(>)  21 


NtConnectPort(>)  2 
NtEnumerateKey(>)  6 



Trace:

 00001   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   436   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   436   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   436   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   436   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   436   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   436   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   436   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   436   NtClose  (12, ... ) == 0x0
 00014   436   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   436   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   436   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   436   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   436   NtClose  (16, ... ) == 0x0
 00021   436   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   436   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   436   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   436   NtClose  (16, ... ) == 0x0
 00026   436   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   436   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   436   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   436   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 432, 436, 1488, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 432, 436, 1488, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 432, 436, 1488, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   436   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   436   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   436   NtClose  (16, ... ) == 0x0
 00036   436   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   436   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   436   NtClose  (28, ... ) == 0x0
 00041   436   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   436   NtClose  (28, ... ) == 0x0
 00045   436   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   436   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   436   NtClose  (28, ... ) == 0x0
 00049   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   436   NtClose  (28, ... ) == 0x0
 00052   436   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 432, 436, 1491, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 432, 436, 1491, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 432, 436, 1491, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 4, ... (0x4e0000), 114688, 128, ) == 0x0
 00057   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 128, ... (0x4e0000), 114688, 4, ) == 0x0
 00058   436   NtFlushInstructionCache  (-1, 5111808, 114688, ... ) == 0x0
 00059   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00061   436   NtClose  (28, ... ) == 0x0
 00062   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00064   436   NtClose  (28, ... ) == 0x0
 00065   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00067   436   NtClose  (28, ... ) == 0x0
 00068   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00070   436   NtClose  (28, ... ) == 0x0
 00071   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00073   436   NtClose  (28, ... ) == 0x0
 00074   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 4, ... (0x4e0000), 114688, 64, ) == 0x0
 00075   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 64, ... (0x4e0000), 114688, 4, ) == 0x0
 00076   436   NtFlushInstructionCache  (-1, 5111808, 114688, ... ) == 0x0
 00077   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00078   436   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ws2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00082   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00083   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00084   436   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00085   436   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00086   436   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00087   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00089   436   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00090   436   NtClose  (40, ... ) == 0x0
 00091   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00092   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00093   436   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00094   436   NtClose  (40, ... ) == 0x0
 00095   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   436   NtClose  (36, ... ) == 0x0
 00097   436   NtClose  (28, ... ) == 0x0
 00098   436   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00099   436   NtClose  (32, ... ) == 0x0
 00100   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00101   436   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00102   436   NtClose  (32, ... ) == 0x0
 00103   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00107   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00108   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00109   436   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00110   436   NtClose  (32, ... ) == 0x0
 00111   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00112   436   NtClose  (28, ... ) == 0x0
 00113   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 4, ... (0x4e0000), 114688, 64, ) == 0x0
 00114   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 64, ... (0x4e0000), 114688, 4, ) == 0x0
 00115   436   NtFlushInstructionCache  (-1, 5111808, 114688, ... ) == 0x0
 00116   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00117   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00118   436   NtClose  (28, ... ) == 0x0
 00119   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00120   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00121   436   NtClose  (28, ... ) == 0x0
 00122   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 4, ... (0x4e0000), 114688, 64, ) == 0x0
 00123   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 64, ... (0x4e0000), 114688, 4, ) == 0x0
 00124   436   NtFlushInstructionCache  (-1, 5111808, 114688, ... ) == 0x0
 00125   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 4, ... (0x4e0000), 114688, 64, ) == 0x0
 00126   436   NtProtectVirtualMemory  (-1, (0x4e0000), 114688, 64, ... (0x4e0000), 114688, 4, ) == 0x0
 00127   436   NtFlushInstructionCache  (-1, 5111808, 114688, ... ) == 0x0
 00128   436   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00129   436   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00130   436   NtClose  (28, ... ) == 0x0
 00131   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00132   436   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00133   436   NtClose  (28, ... ) == 0x0
 00134   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00135   436   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00136   436   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00137   436   NtClose  (28, ... ) == 0x0
 00138   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00139   436   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   436   NtClose  (28, ... ) == 0x0
 00141   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00142   436   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00143   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00145   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 432, 436, 1503, 0} "\260\307\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 432, 436, 1503, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 432, 436, 1503, 0} "\260\307\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00146   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   436   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00148   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00149   436   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00150   436   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00151   436   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00152   436   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00153   436   NtClose  (-2147482020, ... ) == 0x0
 00154   436   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00155   436   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00156   436   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00157   436   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00158   436   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   436   NtClose  (-2147482020, ... ) == 0x0
 00160   436   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00161   436   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   436   NtClose  (-2147482020, ... ) == 0x0
 00163   436   NtQueryDefaultLocale  (0, -133330420, ... ) == 0x0
 00164   436   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00165   436   NtUserCallNoParam  (24, ... ) == 0x0
 00166   436   NtGdiCreateCompatibleDC  (0, ...
 00167   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00166   436   NtGdiCreateCompatibleDC  ... ) == 0x100103c9
 00168   436   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00169   436   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00170   436   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x130503d4
 00171   436   NtGdiCreateSolidBrush  (0, 0, ...
 00172   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9502720, 4096, ) == 0x0
 00171   436   NtGdiCreateSolidBrush  ... ) == 0x131003d3
 00173   436   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00174   436   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00175   436   NtGdiSelectBitmap  (1040253964, 319095764, ... ) == 0x185000f
 00176   436   NtUserGetThreadDesktop  (436, 0, ... ) == 0x2c
 00177   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00178   436   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00179   436   NtClose  (52, ... ) == 0x0
 00180   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00181   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00182   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00183   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00184   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00185   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00186   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00187   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00188   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00189   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00190   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00191   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00192   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00193   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00194   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00195   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00196   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00197   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00198   436   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00199   436   NtAllocateVirtualMemory  (-1, 6451200, 0, 4096, 4096, 32, ... 6451200, 4096, ) == 0x0
 00198   436   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00200   436   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00201   436   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00202   436   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00203   436   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00204   436   NtCallbackReturn  (0, 0, 0, ...
 00205   436   NtGdiInit  (... ) == 0x1
 00206   436   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00207   436   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00208   436   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00209   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00210   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 60, ) }, ... 60, ) == 0x0
 00211   436   NtNotifyChangeKey  (60, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00212   436   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00213   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00214   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00215   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00216   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9568256, 65536, ) == 0x0
 00217   436   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00218   436   NtAllocateVirtualMemory  (-1, 9572352, 0, 8192, 4096, 4, ... 9572352, 8192, ) == 0x0
 00219   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 72, ) }, ... 72, ) == 0x0
 00220   436   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x930000), 0x0, 12288, ) == 0x0
 00221   436   NtClose  (72, ... ) == 0x0
 00222   436   NtAllocateVirtualMemory  (-1, 9580544, 0, 4096, 4096, 4, ... 9580544, 4096, ) == 0x0
 00223   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00224   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00225   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00227   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 72, ) }, ... 72, ) == 0x0
 00228   436   NtQueryValueKey  (72,  (72, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00229   436   NtClose  (72, ... ) == 0x0
 00230   436   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00232   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00233   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00234   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00235   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 72, ) }, ... 72, ) == 0x0
 00236   436   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   436   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   436   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   436   NtClose  (72, ... ) == 0x0
 00240   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 72, ) }, ... 72, ) == 0x0
 00241   436   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   436   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   436   NtClose  (72, ... ) == 0x0
 00244   436   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 72, ) }, ... 72, ) == 0x0
 00245   436   NtOpenEvent  (0x1f0003, {24, 72, 0x0, 0, 0,  (0x1f0003, {24, 72, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   436   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00247   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   436   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 76, ) }, ... 76, ) == 0x0
 00250   436   NtQueryValueKey  (76,  (76, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   436   NtClose  (76, ... ) == 0x0
 00252   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   436   NtTestAlert  (... ) == 0x0
 00254   436   NtContinue  (1244464, 1, ...
 00255   436   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00256   436   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 9699328, 196608, ) == 0x0
 00257   436   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 9895936, 196608, ) == 0x0
 00258   436   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 196608, ) == 0x0
 00259   436   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 9699328, 4096, ) == 0x0
 00260   436   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 4096, ) == 0x0
 00261   436   NtAllocateVirtualMemory  (-1, 0, 0, 148480, 4096, 4, ... 9699328, 151552, ) == 0x0
 00262   436   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 151552, ) == 0x0
 00263   436   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 9699328, 4096, ) == 0x0
 00264   436   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 4096, ) == 0x0
 00265   436   NtAllocateVirtualMemory  (-1, 0, 0, 3584, 4096, 4, ... 9699328, 4096, ) == 0x0
 00266   436   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 4096, ) == 0x0
 00267   436   NtAllocateVirtualMemory  (-1, 0, 0, 8704, 4096, 4, ... 9699328, 12288, ) == 0x0
 00268   436   NtFreeVirtualMemory  (-1, (0x940000), 0, 32768, ... (0x940000), 12288, ) == 0x0
 00269   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 76, ) }, ... 76, ) == 0x0
 00270   436   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00271   436   NtClose  (76, ... ) == 0x0
 00272   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1243008, ... ) }, 1243008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1243008, ... ) }, 1243008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1243008, ... ) }, 1243008, ... ) == 0x0
 00276   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00277   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 80, ) == 0x0
 00278   436   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00279   436   NtClose  (76, ... ) == 0x0
 00280   436   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00281   436   NtClose  (80, ... ) == 0x0
 00282   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00283   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00284   436   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00285   436   NtClose  (80, ... ) == 0x0
 00286   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00287   436   NtSetInformationObject  (80, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00288   436   NtOpenKey  (0xf003f, {24, 80, 0x40, 0, 0,  (0xf003f, {24, 80, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   436   NtOpenKey  (0xf003f, {24, 80, 0x40, 0, 0,  (0xf003f, {24, 80, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   436   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00291   436   NtQueryInformationToken  (76, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00292   436   NtClose  (76, ... ) == 0x0
 00293   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00294   436   NtReleaseMutant  (16, ...
 00295   436   NtContinue  (-133332856, 0, ...
 00294   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00296   436   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00297   436   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00298   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10092544, 1048576, ) == 0x0
 00299   436   NtAllocateVirtualMemory  (-1, 10092544, 0, 16384, 4096, 4, ... 10092544, 16384, ) == 0x0
 00300   436   NtUserCallNoParam  (29, ...
 00301   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242276, ... ) }, 1242276, ... ) == 0x0
 00302   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00303   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 84, ) == 0x0
 00304   436   NtClose  (76, ... ) == 0x0
 00305   436   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 204800, ) == 0x0
 00306   436   NtClose  (84, ... ) == 0x0
 00307   436   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00308   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242592, ... ) }, 1242592, ... ) == 0x0
 00309   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00310   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 76, ) == 0x0
 00311   436   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00312   436   NtClose  (84, ... ) == 0x0
 00313   436   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00314   436   NtClose  (76, ... ) == 0x0
 00315   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00316   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00317   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00318   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00319   436   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00320   436   NtClose  (76, ... ) == 0x0
 00321   436   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 76, ) }, ... 76, ) == 0x0
 00322   436   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 84, ) }, ... 84, ) == 0x0
 00323   436   NtQueryValueKey  (84,  (84, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   436   NtClose  (84, ... ) == 0x0
 00325   436   NtClose  (76, ... ) == 0x0
 00326   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00327   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00328   436   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00329   436   NtClose  (76, ... ) == 0x0
 00330   436   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 76, ) }, ... 76, ) == 0x0
 00331   436   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Control Panel\Desktop"}, ... 84, ) }, ... 84, ) == 0x0
 00332   436   NtQueryValueKey  (84,  (84, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   436   NtClose  (84, ... ) == 0x0
 00334   436   NtClose  (76, ... ) == 0x0
 00335   436   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00336   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00339   436   NtUserGetProcessWindowStation  (... ) == 0x28
 00340   436   NtUserGetObjectInformation  (40, 2, 0, 0, 1244388, ... ) == 0x0
 00341   436   NtUserGetObjectInformation  (40, 2, 1328464, 16, 1244388, ... ) == 0x1
 00342   436   NtUserGetGUIThreadInfo  (436, 1244344, ... ) == 0x1
 00343   436   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244164, 64, ... 76, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244164, 64, ... 76, 0x0, 0x0, 0x0, 64, ) == 0x0
 00344   436   NtRequestWaitReplyPort  (76, {32, 56, new_msg, 0, 0, 0, 0, 0}  (76, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 432, 436, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 432, 436, 1505, 0}  (76, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 432, 436, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00345   436   NtRequestWaitReplyPort  (76, {32, 56, new_msg, 0, 0, 0, 0, 0}  (76, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 432, 436, 1506, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 432, 436, 1506, 0}  (76, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 432, 436, 1506, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00346   436   NtUserCallNoParam  (29, ...
 00347   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 00346   436   NtUserCallNoParam  ... ) == 0x0
 00348   436   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00349   436   NtGdiHfontCreate  (1243716, 356, 0, 0, 1327888, ... ) == 0x150a040b
 00350   436   NtGdiHfontCreate  (1243716, 356, 0, 0, 1327880, ... ) == 0x80a03d8
 00351   436   NtRequestWaitReplyPort  (76, {32, 56, new_msg, 0, 0, 0, 0, 0}  (76, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 432, 436, 1507, 0} "\0\0\0\0\0\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 432, 436, 1507, 0}  (76, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 432, 436, 1507, 0} "\0\0\0\0\0\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00352   436   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xaa0000), {0, 0}, 331776, ) == 0x0
 00353   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00354   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00355   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00356   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00357   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00358   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00359   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00360   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00361   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00362   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00363   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00364   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00365   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00366   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00367   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00368   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00369   436   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00370   436   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2b10040d
 00371   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00372   436   NtUserCallNoParam  (29, ...
 00373   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241080, ... ) }, 1241080, ... ) == 0x0
 00372   436   NtUserCallNoParam  ... ) == 0x0
 00374   436   NtUserCallNoParam  (29, ...
 00375   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241076, ... ) }, 1241076, ... ) == 0x0
 00374   436   NtUserCallNoParam  ... ) == 0x0
 00300   436   NtUserCallNoParam  ... ) == 0x1
 00376   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00377   436   NtReleaseMutant  (16, ...
 00378   436   NtContinue  (-133332856, 0, ...
 00377   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00379   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00380   436   NtReleaseMutant  (16, ...
 00381   436   NtContinue  (-133332856, 0, ...
 00380   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00382   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00383   436   NtReleaseMutant  (16, ...
 00384   436   NtContinue  (-133332856, 0, ...
 00383   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00385   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00386   436   NtReleaseMutant  (16, ...
 00387   436   NtContinue  (-133332856, 0, ...
 00386   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00388   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00389   436   NtReleaseMutant  (16, ...
 00390   436   NtContinue  (-133332856, 0, ...
 00389   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00391   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00392   436   NtReleaseMutant  (16, ...
 00393   436   NtContinue  (-133332856, 0, ...
 00392   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00394   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00395   436   NtReleaseMutant  (16, ...
 00396   436   NtContinue  (-133332856, 0, ...
 00395   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00397   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00398   436   NtReleaseMutant  (16, ...
 00399   436   NtContinue  (-133332856, 0, ...
 00398   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00400   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00401   436   NtReleaseMutant  (16, ...
 00402   436   NtContinue  (-133332856, 0, ...
 00401   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00403   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00404   436   NtReleaseMutant  (16, ...
 00405   436   NtContinue  (-133332856, 0, ...
 00404   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00406   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00407   436   NtReleaseMutant  (16, ...
 00408   436   NtContinue  (-133332856, 0, ...
 00407   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00409   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00410   436   NtReleaseMutant  (16, ...
 00411   436   NtContinue  (-133332856, 0, ...
 00410   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00412   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00413   436   NtReleaseMutant  (16, ...
 00414   436   NtContinue  (-133332856, 0, ...
 00413   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00415   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00416   436   NtReleaseMutant  (16, ...
 00417   436   NtContinue  (-133332856, 0, ...
 00416   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00418   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00419   436   NtReleaseMutant  (16, ...
 00420   436   NtContinue  (-133332856, 0, ...
 00419   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00421   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00422   436   NtReleaseMutant  (16, ...
 00423   436   NtContinue  (-133332856, 0, ...
 00422   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00424   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00425   436   NtReleaseMutant  (16, ...
 00426   436   NtContinue  (-133332856, 0, ...
 00425   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00427   436   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00428   436   NtReleaseMutant  (16, ...
 00429   436   NtContinue  (-133332856, 0, ...
 00428   436   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00430   436   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00431   436   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00432   436   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00433   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00434   436   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00435   436   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00436   436   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00437   436   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00438   436   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   436   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00440   436   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00441   436   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00442   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00443   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00444   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\276\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\277\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\276\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\277\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\276\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\277\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00446   436   NtClose  (104, ... ) == 0x0
 00447   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00448   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00449   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00450   436   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00451   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\304\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\304\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\305\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\304\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\304\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\305\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\304\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\304\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\305\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00452   436   NtClose  (104, ... ) == 0x0
 00453   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00454   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00455   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00456   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\311\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\312\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\311\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\312\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\311\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\312\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00457   436   NtClose  (104, ... ) == 0x0
 00458   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 00459   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00460   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00461   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\316\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\316\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\317\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\316\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\316\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\317\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\316\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\316\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\317\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\320\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00462   436   NtClose  (104, ... ) == 0x0
 00463   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 00464   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00465   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00466   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\323\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\323\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\324\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\323\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\323\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\324\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\323\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\323\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\324\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\325\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00467   436   NtClose  (104, ... ) == 0x0
 00468   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 00469   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00470   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00471   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\330\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\330\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\331\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\330\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\330\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\331\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\330\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\330\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\331\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00472   436   NtClose  (104, ... ) == 0x0
 00473   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 00474   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00475   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00476   436   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00477   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\336\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\336\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\337\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\336\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\336\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\337\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\336\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\336\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\337\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\340\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00478   436   NtClose  (104, ... ) == 0x0
 00479   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 00480   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00481   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00482   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\343\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\343\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\344\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\343\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\343\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\344\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\343\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\343\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\344\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\345\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00483   436   NtClose  (104, ... ) == 0x0
 00484   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 00485   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00486   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00487   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\350\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\350\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\351\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\351\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\353\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\350\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\350\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\351\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\351\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\353\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\353\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\350\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\350\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\351\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\351\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\352\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\353\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00488   436   NtClose  (104, ... ) == 0x0
 00489   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 00490   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00491   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00492   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\355\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\355\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\356\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\355\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\355\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\356\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\355\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\355\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0Hb\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\356\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\357\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\1\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00493   436   NtClose  (104, ... ) == 0x0
 00494   436   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 00495   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00496   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00497   436   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00498   436   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\363\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\363\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\364\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\1\0\0\260\1\0\0\264\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\365\1\0\0\260\1\0\0\264\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\366\1\0\0\260\1\0\0\264\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\366\1\0\0\260\1\0\0\264\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\367\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0x\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\30b\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\363\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\363\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\364\1\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\1\0\0\260\1\0\0\264\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\365\1\0\0\260\1\0\0\264\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\366\1\0\0\260\1\0\0\264\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\366\1\0\0\260\1\0\0\264\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\367\1\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0x\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\30b\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00499   436   NtClose  (104, ... ) == 0x0
 00500   436   NtClose  (100, ... ) == 0x0
 00501   436   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00502   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00503   436   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 00504   436   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   436   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00506   436   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00507   436   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   436   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00509   436   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 108, ) }, ... 108, ) == 0x0
 00510   436   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 00511   436   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00512   436   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00513   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00514   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00515   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00516   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00517   436   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00518   436   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   436   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00520   436   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00521   436   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00522   436   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00523   436   NtClose  (112, ... ) == 0x0
 00524   436   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 00525   436   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00526   436   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00527   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00528   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00529   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00530   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00531   436   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00532   436   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   436   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00534   436   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00535   436   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536   436   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00537   436   NtClose  (112, ... ) == 0x0
 00538   436   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 00539   436   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00540   436   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00541   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00542   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00543   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00544   436   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00545   436   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00546   436   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547   436   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00548   436   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00549   436   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00550   436   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551   436   NtClose  (112, ... ) == 0x0
 00552   436   NtClose  (108, ... ) == 0x0
 00553   436   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 00554   436   NtClose  (88, ... ) == 0x0
 00555   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00556   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00557   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00558   436   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   436   NtClose  (88, ... ) == 0x0
 00560   436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00561   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 32768, 4096, 4, ... 10108928, 32768, ) == 0x0
 00562   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00563   436   NtAllocateVirtualMemory  (-1, 10125312, 0, 16384, 4096, 4, ... 10125312, 16384, ) == 0x0
 00564   436   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 9699328, 4096, ) == 0x0
 00565   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00566   436   NtAllocateVirtualMemory  (-1, 10125312, 0, 16384, 4096, 4, ... 10125312, 16384, ) == 0x0
 00567   436   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 9764864, 4096, ) == 0x0
 00568   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00569   436   NtAllocateVirtualMemory  (-1, 10125312, 0, 16384, 4096, 4, ... 10125312, 16384, ) == 0x0
 00570   436   NtAllocateVirtualMemory  (-1, 0, 0, 248, 4096, 64, ... 9830400, 4096, ) == 0x0
 00571   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00572   436   NtAllocateVirtualMemory  (-1, 10125312, 0, 32768, 4096, 4, ... 10125312, 32768, ) == 0x0
 00573   436   NtFreeVirtualMemory  (-1, (0x9a8000), 32768, 16384, ... (0x9a8000), 32768, ) == 0x0
 00574   436   NtAllocateVirtualMemory  (-1, 10125312, 0, 32768, 4096, 4, ... 10125312, 32768, ) == 0x0
 00575   436   NtFreeVirtualMemory  (-1, (0x9a8000), 32768, 16384, ... (0x9a8000), 32768, ) == 0x0
 00576   436   NtFreeVirtualMemory  (-1, (0x9a4000), 16384, 16384, ... (0x9a4000), 16384, ) == 0x0
 00577   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 32768, 4096, 4, ... 10108928, 32768, ) == 0x0
 00578   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00579   436   NtFreeVirtualMemory  (-1, (0x9a4000), 16384, 16384, ... (0x9a4000), 16384, ) == 0x0
 00580   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 163840, 4096, 4, ... 10108928, 163840, ) == 0x0
 00581   436   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00582   436   NtAllocateVirtualMemory  (-1, 10272768, 0, 32768, 4096, 4, ... 10272768, 32768, ) == 0x0
 00583   436   NtFreeVirtualMemory  (-1, (0x9d0000), 16384, 16384, ... (0x9d0000), 16384, ) == 0x0
 00584   436   NtFreeVirtualMemory  (-1, (0x9cc000), 16384, 16384, ... (0x9cc000), 16384, ) == 0x0
 00585   436   NtFreeVirtualMemory  (-1, (0x9a4000), 163840, 16384, ... (0x9a4000), 163840, ) == 0x0
 00586   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 16384, 4096, 4, ... 10108928, 16384, ) == 0x0
 00587   436   NtFreeVirtualMemory  (-1, (0x9a4000), 16384, 16384, ... (0x9a4000), 16384, ) == 0x0
 00588   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 98304, 4096, 4, ... 10108928, 98304, ) == 0x0
 00589   436   NtFreeVirtualMemory  (-1, (0x9a4000), 98304, 16384, ... (0x9a4000), 98304, ) == 0x0
 00590   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 32768, 4096, 4, ... 10108928, 32768, ) == 0x0
 00591   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00592   436   NtFreeVirtualMemory  (-1, (0x9a4000), 16384, 16384, ... (0x9a4000), 16384, ) == 0x0
 00593   436   NtAllocateVirtualMemory  (-1, 10108928, 0, 32768, 4096, 4, ... 10108928, 32768, ) == 0x0
 00594   436   NtFreeVirtualMemory  (-1, (0x9a8000), 16384, 16384, ... (0x9a8000), 16384, ) == 0x0
 00595   436   NtAllocateVirtualMemory  (-1, 10125312, 0, 16384, 4096, 4, ... 10125312, 16384, ) == 0x0
 00596   436   NtAllocateVirtualMemory  (-1, 0, 0, 16436, 4096, 64, ... 11534336, 20480, ) == 0x0
 00597   436   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11599872, 4096, ) == 0x0
 00598   436   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11665408, 4096, ) == 0x0
 00599   436   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11730944, 4096, ) == 0x0
 00600   436   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11796480, 4096, ) == 0x0
 00601   436   NtAllocateVirtualMemory  (-1, 10141696, 0, 16384, 4096, 4, ... 10141696, 16384, ) == 0x0
 00602   436   NtAllocateVirtualMemory  (-1, 10158080, 0, 16384, 4096, 4, ... 10158080, 16384, ) == 0x0
 00603   436   NtAllocateVirtualMemory  (-1, 10174464, 0, 16384, 4096, 4, ... 10174464, 16384, ) == 0x0
 00604   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\Scsi0:"}, 0x0, 0, 3, 1, 96, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 00605   436   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x4d008,  (108, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zBa\30\0\0\20\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0a\30\20\0?\0\360\375_\0@\1\0\0`\0\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 572, 572, ... {status=0x0, info=572},  (108, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zBa\30\0\0\20\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0a\30\20\0?\0\360\375_\0@\1\0\0`\0\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00606   436   NtClose  (108, ... ) == 0x0
 00607   436   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00608   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00609   436   NtQueryInformationFile  (108, 1243996, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00610   436   NtQueryVolumeInformationFile  (108, 1350528, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00611   436   NtQueryVolumeInformationFile  (108, 1350824, 276, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00612   436   NtClose  (108, ... ) == 0x0
 00613   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 108, {status=0x0, info=1}, ) }, 3, 8388641, ... 108, {status=0x0, info=1}, ) == 0x0
 00614   436   NtQueryVolumeInformationFile  (108, 1244780, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00615   436   NtClose  (108, ... ) == 0x0
 00616   436   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00617   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00618   436   NtQueryInformationFile  (108, 1244000, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00619   436   NtQueryVolumeInformationFile  (108, 1350528, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00620   436   NtQueryVolumeInformationFile  (108, 1350824, 276, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00621   436   NtClose  (108, ... ) == 0x0
 00622   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 108, {status=0x0, info=1}, ) }, 3, 8388641, ... 108, {status=0x0, info=1}, ) == 0x0
 00623   436   NtQueryVolumeInformationFile  (108, 1244784, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00624   436   NtClose  (108, ... ) == 0x0
 00625   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00626   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00627   436   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00628   436   NtClose  (108, ... ) == 0x0
 00629   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 108, ) }, ... 108, ) == 0x0
 00630   436   NtSetInformationObject  (110, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00631   436   NtQueryKey  (110, Name, 382, ... {Name= (110, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00632   436   NtOpenKey  (0x2000000, {24, 110, 0x40, 0, 0,  (0x2000000, {24, 110, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 112, ) }, ... 112, ) == 0x0
 00634   436   NtCreateKey  (0x2, {24, 112, 0x40, 0, 0,  (0x2, {24, 112, 0x40, 0, 0, ".key"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00635   436   NtSetInformationFile  (-2147482808, -133332404, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00636   436   NtSetInformationFile  (-2147482808, -133332036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00637   436   NtSetInformationFile  (-2147482808, -133332028, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00634   436   NtCreateKey  ... 116, 1, ) == 0x0
 00638   436   NtClose  (112, ... ) == 0x0
 00639   436   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 00640   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00641   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00642   436   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00643   436   NtClose  (112, ... ) == 0x0
 00644   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   436   NtSetValueKey  (118, 0x0, 0, 1,  (118, 0x0, 0, 1, "\0\0", 2, ... ) , 2, ... ) == 0x0
 00646   436   NtClose  (118, ... ) == 0x0
 00647   436   NtQueryKey  (110, Name, 384, ... {Name= (110, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00648   436   NtOpenKey  (0x2, {24, 110, 0x40, 0, 0,  (0x2, {24, 110, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   436   NtOpenKey  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.key"}, ... 116, ) }, ... 116, ) == 0x0
 00650   436   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 00651   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00652   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00653   436   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00654   436   NtClose  (112, ... ) == 0x0
 00655   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   436   NtSetValueKey  (118, " (118, "", 0, 1, "r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) == 0x0
 00657   436   NtClose  (118, ... ) == 0x0
 00658   436   NtAllocateVirtualMemory  (-1, 10190848, 0, 32768, 4096, 4, ... 10190848, 32768, ) == 0x0
 00659   436   NtFreeVirtualMemory  (-1, (0x9bc000), 16384, 16384, ... (0x9bc000), 16384, ) == 0x0
 00660   436   NtFreeVirtualMemory  (-1, (0x9b8000), 16384, 16384, ... (0x9b8000), 16384, ) == 0x0
 00661   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00662   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11862016, 65536, ) == 0x0
 00663   436   NtAllocateVirtualMemory  (-1, 11862016, 0, 4096, 4096, 4, ... 11862016, 4096, ) == 0x0
 00664   436   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 11927552, 4096, ) == 0x0
 00665   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11993088, 4096, ) == 0x0
 00666   436   NtAllocateVirtualMemory  (-1, 0, 0, 27, 4096, 64, ... 12058624, 4096, ) == 0x0
 00667   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12124160, 4096, ) == 0x0
 00668   436   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 64, ... 12189696, 4096, ) == 0x0
 00669   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12255232, 4096, ) == 0x0
 00670   436   NtAllocateVirtualMemory  (-1, 0, 0, 12, 4096, 64, ... 12320768, 4096, ) == 0x0
 00671   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12386304, 4096, ) == 0x0
 00672   436   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 12451840, 4096, ) == 0x0
 00673   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12517376, 4096, ) == 0x0
 00674   436   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 12582912, 4096, ) == 0x0
 00675   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12648448, 4096, ) == 0x0
 00676   436   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 12713984, 4096, ) == 0x0
 00677   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12779520, 4096, ) == 0x0
 00678   436   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 12845056, 4096, ) == 0x0
 00679   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12910592, 4096, ) == 0x0
 00680   436   NtAllocateVirtualMemory  (-1, 0, 0, 53, 4096, 64, ... 12976128, 4096, ) == 0x0
 00681   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13041664, 4096, ) == 0x0
 00682   436   NtAllocateVirtualMemory  (-1, 11866112, 0, 4096, 4096, 4, ... 11866112, 4096, ) == 0x0
 00683   436   NtAllocateVirtualMemory  (-1, 0, 0, 15, 4096, 64, ... 13107200, 4096, ) == 0x0
 00684   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13172736, 4096, ) == 0x0
 00685   436   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 13238272, 4096, ) == 0x0
 00686   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13303808, 4096, ) == 0x0
 00687   436   NtAllocateVirtualMemory  (-1, 0, 0, 15, 4096, 64, ... 13369344, 4096, ) == 0x0
 00688   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13434880, 4096, ) == 0x0
 00689   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00690   436   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00691   436   NtClose  (116, ... ) == 0x0
 00692   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00693   436   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00694   436   NtClose  (116, ... ) == 0x0
 00695   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00696   436   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00697   436   NtClose  (116, ... ) == 0x0
 00698   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 116, ) }, ... 116, ) == 0x0
 00699   436   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00700   436   NtClose  (116, ... ) == 0x0
 00701   436   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00702   436   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00704   436   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00705   436   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00706   436   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00707   436   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1240592, 0,  (0x1f0003, {24, 72, 0x80, 1240592, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00708   436   NtOpenEvent  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 116, ) }, ... 116, ) == 0x0
 00709   436   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00710   436   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 00711   436   NtCreateKey  (0xf003f, {24, 80, 0x40, 0, 0,  (0xf003f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 112, 2, ) }, 0, 0x0, 0, ... 112, 2, ) == 0x0
 00712   436   NtQueryDefaultUILanguage  (1238828, ...
 00713   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00715   436   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716   436   NtClose  (-2147482020, ... ) == 0x0
 00717   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00718   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   436   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00720   436   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721   436   NtClose  (-2147482032, ... ) == 0x0
 00722   436   NtClose  (-2147482020, ... ) == 0x0
 00712   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00723   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   436   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00725   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 120, {status=0x0, info=1}, ) }, 1, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00726   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 00727   436   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xce0000), 0x0, 593920, ) == 0x0
 00728   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   436   NtQueryDefaultUILanguage  (2013024600, ...
 00730   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00731   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00732   436   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00733   436   NtClose  (-2147482020, ... ) == 0x0
 00734   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00735   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   436   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00737   436   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   436   NtClose  (-2147482032, ... ) == 0x0
 00739   436   NtClose  (-2147482020, ... ) == 0x0
 00729   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00740   436   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00741   436   NtQueryDefaultLocale  (1, 1236864, ... ) == 0x0
 00742   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237720, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237720, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1x\0\0\0\377\377\377\377\0\0\0\0P\275\325\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1508, 0} "\350\242\27\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1x\0\0\0\377\377\377\377\0\0\0\0P\275\325\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1508, 0}  (24, {128, 156, new_msg, 0, 1237720, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1x\0\0\0\377\377\377\377\0\0\0\0P\275\325\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1508, 0} "\350\242\27\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1x\0\0\0\377\377\377\377\0\0\0\0P\275\325\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\330\351\22\0\0\0\0\0" )  ) == 0x0
 00744   436   NtClose  (120, ... ) == 0x0
 00745   436   NtClose  (124, ... ) == 0x0
 00746   436   NtUnmapViewOfSection  (-1, 0xce0000, ... ) == 0x0
 00747   436   NtUnmapViewOfSection  (-1, 0x12e9d8, ... ) == STATUS_NOT_MAPPED_VIEW
 00748   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00749   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00750   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00751   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00752   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235404, ... ) }, 1235404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00754   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00755   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00756   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1235996, ... ) }, 1235996, ... ) == 0x0
 00757   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 124, {status=0x0, info=1}, ) }, 3, 33, ... 124, {status=0x0, info=1}, ) == 0x0
 00758   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00759   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00760   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 128, ) == 0x0
 00761   436   NtClose  (120, ... ) == 0x0
 00762   436   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd90000), 0x0, 921600, ) == 0x0
 00763   436   NtClose  (128, ... ) == 0x0
 00764   436   NtUnmapViewOfSection  (-1, 0xd90000, ... ) == 0x0
 00765   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00766   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 120, ) == 0x0
 00767   436   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00768   436   NtClose  (128, ... ) == 0x0
 00769   436   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00770   436   NtClose  (120, ... ) == 0x0
 00771   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00772   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00773   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00774   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00775   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00776   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00777   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00778   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00779   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00780   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00781   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00782   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00783   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00784   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00785   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00786   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00787   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00788   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00789   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00790   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00791   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00792   436   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237180, ... ) , 42, 1237180, ... ) == 0x0
 00793   436   NtQueryDefaultUILanguage  (1235896, ...
 00794   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00795   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00796   436   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00797   436   NtClose  (-2147482020, ... ) == 0x0
 00798   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00799   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   436   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00801   436   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00802   436   NtClose  (-2147482032, ... ) == 0x0
 00803   436   NtClose  (-2147482020, ... ) == 0x0
 00793   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00804   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00805   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234748, ... ) }, 1234748, ... ) == 0x0
 00806   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00807   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 128, ) == 0x0
 00808   436   NtClose  (120, ... ) == 0x0
 00809   436   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xce0000), 0x0, 4096, ) == 0x0
 00810   436   NtClose  (128, ... ) == 0x0
 00811   436   NtUnmapViewOfSection  (-1, 0xce0000, ... ) == 0x0
 00812   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234388, ... ) }, 1234388, ... ) == 0x0
 00813   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235088,  (0x80100080, {24, 0, 0x40, 0, 1235088, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 00814   436   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 128, ... 120, ) == 0x0
 00815   436   NtClose  (128, ... ) == 0x0
 00816   436   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xce0000), {0, 0}, 4096, ) == 0x0
 00817   436   NtClose  (120, ... ) == 0x0
 00818   436   NtUnmapViewOfSection  (-1, 0xce0000, ... ) == 0x0
 00819   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 120, {status=0x0, info=1}, ) }, 1, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00820   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 128, ) == 0x0
 00821   436   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xce0000), 0x0, 4096, ) == 0x0
 00822   436   NtQueryInformationFile  (120, 1234708, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00823   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234788, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234788, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1x\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0d\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1509, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1x\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0d\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1509, 0}  (24, {128, 156, new_msg, 0, 1234788, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1x\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0d\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1509, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1x\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0d\336\22\0\0\0\0\0" )  ) == 0x0
 00825   436   NtClose  (120, ... ) == 0x0
 00826   436   NtClose  (128, ... ) == 0x0
 00827   436   NtUnmapViewOfSection  (-1, 0xce0000, ... ) == 0x0
 00828   436   NtUnmapViewOfSection  (-1, 0x12de64, ... ) == STATUS_NOT_MAPPED_VIEW
 00829   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00830   436   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00831   436   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00832   436   NtUserGetDC  (0, ... ) == 0x1010051
 00833   436   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00834   436   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00835   436   NtUserSystemParametersInfo  (66, 12, 1237200, 0, ... ) == 0x1
 00836   436   NtOpenProcessToken  (-1, 0x8, ... 128, ) == 0x0
 00837   436   NtAccessCheck  (1376480, 128, 0x1, 1236604, 1236548, 56, 1236632, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00838   436   NtClose  (128, ... ) == 0x0
 00839   436   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 128, ) }, ... 128, ) == 0x0
 00840   436   NtQueryValueKey  (128,  (128, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   436   NtClose  (128, ... ) == 0x0
 00842   436   NtUserSystemParametersInfo  (41, 500, 1236700, 0, ... ) == 0x1
 00843   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 128, ) }, ... 128, ) == 0x0
 00844   436   NtQueryValueKey  (128,  (128, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 120, ) }, ... 120, ) == 0x0
 00846   436   NtQueryValueKey  (120,  (120, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   436   NtClose  (120, ... ) == 0x0
 00848   436   NtClose  (128, ... ) == 0x0
 00849   436   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00850   436   NtUserSystemParametersInfo  (4130, 0, 1237224, 0, ... ) == 0x1
 00851   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 128, ) }, ... 128, ) == 0x0
 00852   436   NtEnumerateValueKey  (128, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00853   436   NtClose  (128, ... ) == 0x0
 00854   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00855   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc03b
 00856   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc03d
 00857   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00858   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc03f
 00859   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00860   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc041
 00861   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00862   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc043
 00863   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc045
 00864   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00865   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc047
 00866   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00867   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc049
 00868   436   NtUserGetClassInfo  (1905590272, 1237120, 1237072, 1237148, 0, ... ) == 0xc049
 00869   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00870   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc04b
 00871   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00872   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc04d
 00873   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00874   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc04f
 00875   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc051
 00876   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00877   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc053
 00878   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00879   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc055
 00880   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc057
 00881   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00882   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc059
 00883   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10013
 00884   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc05b
 00885   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00886   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc05d
 00887   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00888   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc05f
 00889   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00890   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc017
 00891   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00892   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc019
 00893   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10013
 00894   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc018
 00895   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00896   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc01a
 00897   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00898   436   NtUserRegisterClassExWOW  (1236956, 1237036, 1237020, 1237052, 0, 384, 0, ... ) == 0x810dc01c
 00899   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00900   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ...
 00901   436   NtAllocateVirtualMemory  (-1, 6455296, 0, 4096, 4096, 32, ... 6455296, 4096, ) == 0x0
 00900   436   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00902   436   NtUserFindExistingCursorIcon  (1236504, 1236520, 1237088, ... ) == 0x10011
 00903   436   NtUserRegisterClassExWOW  (1237016, 1237096, 1237080, 1237112, 0, 384, 0, ... ) == 0x810dc01b
 00904   436   NtUserFindExistingCursorIcon  (1236500, 1236516, 1237084, ... ) == 0x10011
 00905   436   NtUserRegisterClassExWOW  (1237012, 1237092, 1237076, 1237108, 0, 384, 0, ... ) == 0x810dc068
 00906   436   NtUserFindExistingCursorIcon  (1236508, 1236524, 1237092, ... ) == 0x10011
 00907   436   NtUserRegisterClassExWOW  (1236960, 1237040, 1237024, 1237056, 0, 384, 0, ... ) == 0x810dc06a
 00908   436   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 128, 2, ) }, 0, 0x0, 0, ... 128, 2, ) == 0x0
 00909   436   NtQueryValueKey  (128,  (128, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   436   NtQueryValueKey  (128,  (128, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   436   NtQueryValueKey  (128,  (128, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   436   NtQueryValueKey  (128,  (128, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   436   NtQueryValueKey  (128,  (128, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   436   NtQueryValueKey  (128,  (128, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   436   NtQueryValueKey  (128,  (128, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00916   436   NtQueryValueKey  (128,  (128, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   436   NtQueryValueKey  (128,  (128, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00918   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239932, ... ) }, 1239932, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239932, ... ) }, 1239932, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239932, ... ) }, 1239932, ... ) == 0x0
 00922   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00923   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 132, ) == 0x0
 00924   436   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00925   436   NtClose  (120, ... ) == 0x0
 00926   436   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00927   436   NtClose  (132, ... ) == 0x0
 00928   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 132, ) == 0x0
 00929   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 00930   436   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 136, ) }, ... 136, ) == 0x0
 00931   436   NtQueryEvent  (136, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00932   436   NtClose  (136, ... ) == 0x0
 00933   436   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241416, 140, ... 136, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241416, 140, ... 136, 0x0, 0x0, 256, 140, ) == 0x0
 00934   436   NtRequestWaitReplyPort  (136, {28, 52, new_msg, 0, 0, 0, 0, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 432, 436, 1511, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 432, 436, 1511, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 432, 436, 1511, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00935   436   NtQueryValueKey  (128,  (128, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   436   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 00937   436   NtQueryValueKey  (140,  (140, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   436   NtClose  (140, ... ) == 0x0
 00939   436   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 00940   436   NtQueryValueKey  (140,  (140, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   436   NtClose  (140, ... ) == 0x0
 00942   436   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 00943   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 144, ) }, ... 144, ) == 0x0
 00944   436   NtQueryValueKey  (144,  (144, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00945   436   NtClose  (144, ... ) == 0x0
 00946   436   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 144, ) }, ... 144, ) == 0x0
 00947   436   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 148, ) }, ... 148, ) == 0x0
 00948   436   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 152, ) }, ... 152, ) == 0x0
 00949   436   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 156, ) }, ... 156, ) == 0x0
 00950   436   NtQueryValueKey  (156,  (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00951   436   NtQueryValueKey  (156,  (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00952   436   NtClose  (156, ... ) == 0x0
 00953   436   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 00954   436   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00955   436   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00956   436   NtQueryValueKey  (156,  (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00957   436   NtQueryValueKey  (156,  (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00958   436   NtQueryValueKey  (156,  (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00959   436   NtQueryValueKey  (156,  (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00960   436   NtClose  (156, ... ) == 0x0
 00961   436   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Content"}, ... 156, ) }, ... 156, ) == 0x0
 00962   436   NtQueryValueKey  (156,  (156, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00963   436   NtClose  (156, ... ) == 0x0
 00964   436   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Content"}, ... 156, ) }, ... 156, ) == 0x0
 00965   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 160, ) }, ... 160, ) == 0x0
 00966   436   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00967   436   NtClose  (160, ... ) == 0x0
 00968   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 160, ) }, ... 160, ) == 0x0
 00969   436   NtQueryValueKey  (160,  (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00970   436   NtClose  (160, ... ) == 0x0
 00971   436   NtQueryDefaultUILanguage  (1236384, ...
 00972   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00973   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00974   436   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00975   436   NtClose  (-2147482020, ... ) == 0x0
 00976   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00977   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   436   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00979   436   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   436   NtClose  (-2147482032, ... ) == 0x0
 00981   436   NtClose  (-2147482020, ... ) == 0x0
 00971   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00982   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 160, {status=0x0, info=1}, ) }, 1, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 00984   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 160, ... 164, ) == 0x0
 00985   436   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd90000), 0x0, 8323072, ) == 0x0
 00986   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   436   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00988   436   NtQueryDefaultLocale  (1, 1234420, ... ) == 0x0
 00989   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235276, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235276, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\20\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0L\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1512, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\20\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0L\340\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1512, 0}  (24, {128, 156, new_msg, 0, 1235276, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\20\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0L\340\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1512, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\20\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0L\340\22\0\0\0\0\0" )  ) == 0x0
 00991   436   NtClose  (160, ... ) == 0x0
 00992   436   NtClose  (164, ... ) == 0x0
 00993   436   NtUnmapViewOfSection  (-1, 0xd90000, ... ) == 0x0
 00994   436   NtUnmapViewOfSection  (-1, 0x12e04c, ... ) == STATUS_NOT_MAPPED_VIEW
 00995   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00996   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00998   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00999   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233504, ... ) }, 1233504, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01001   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01002   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01003   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1234096, ... ) }, 1234096, ... ) == 0x0
 01004   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 164, {status=0x0, info=1}, ) }, 3, 33, ... 164, {status=0x0, info=1}, ) == 0x0
 01005   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01006   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 160, ) }, ... 160, ) == 0x0
 01007   436   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 01008   436   NtClose  (160, ... ) == 0x0
 01009   436   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {432, 0}, ... 160, ) == 0x0
 01010   436   NtQueryInformationProcess  (160, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01011   436   NtClose  (160, ... ) == 0x0
 01012   436   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01013   436   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 01014   436   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 01015   436   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 160, ) }, ... 160, ) == 0x0
 01016   436   NtQueryValueKey  (160,  (160, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   436   NtClose  (160, ... ) == 0x0
 01018   436   NtUserSystemParametersInfo  (41, 500, 1235960, 0, ... ) == 0x1
 01019   436   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 01020   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01021   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01022   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc03b
 01023   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01024   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc03d
 01025   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01026   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01027   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc03f
 01028   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01029   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01030   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc041
 01031   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01032   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01033   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc043
 01034   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01035   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc045
 01036   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01037   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01038   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc047
 01039   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01040   436   NtUserFindExistingCursorIcon  (1235748, 1235764, 1236332, ... ) == 0x10011
 01041   436   NtUserRegisterClassExWOW  (1236200, 1236280, 1236264, 1236296, 0, 384, 0, ... ) == 0x810dc049
 01042   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01043   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01044   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc04b
 01045   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01046   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01047   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc04d
 01048   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01049   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01050   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc04f
 01051   436   NtUserGetClassInfo  (1999896576, 1236372, 1236324, 1236400, 0, ... ) == 0x0
 01052   436   NtUserRegisterClassExWOW  (1236208, 1236288, 1236272, 1236304, 0, 384, 0, ... ) == 0x810dc051
 01053   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01054   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01055   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc053
 01056   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01057   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01058   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc055
 01059   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc057
 01060   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01061   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01062   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc059
 01063   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01064   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10013
 01065   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc05b
 01066   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01067   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01068   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc05d
 01069   436   NtUserGetClassInfo  (1999896576, 1236368, 1236320, 1236396, 0, ... ) == 0x0
 01070   436   NtUserFindExistingCursorIcon  (1235752, 1235768, 1236336, ... ) == 0x10011
 01071   436   NtUserRegisterClassExWOW  (1236204, 1236284, 1236268, 1236300, 0, 384, 0, ... ) == 0x810dc05f
 01072   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc03b
 01073   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc03d
 01074   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc03f
 01075   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc041
 01076   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc043
 01077   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc045
 01078   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc047
 01079   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc049
 01080   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc04b
 01081   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc04d
 01082   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc04f
 01083   436   NtUserGetClassInfo  (1999896576, 1238124, 1238076, 1238152, 0, ... ) == 0xc051
 01084   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc053
 01085   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc055
 01086   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc059
 01087   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc05b
 01088   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc05d
 01089   436   NtUserGetClassInfo  (1999896576, 1238120, 1238072, 1238148, 0, ... ) == 0xc05f
 01090   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01091   436   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1379752, 0,  (0x1f0003, {24, 72, 0x80, 1379752, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 160, ) }, 0, 2147483647, ... 160, ) == STATUS_OBJECT_NAME_EXISTS
 01092   436   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 01093   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 01094   436   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01095   436   NtQueryValueKey  (168,  (168, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01096   436   NtClose  (168, ... ) == 0x0
 01097   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238644, ... ) }, 1238644, ... ) == 0x0
 01098   436   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01099   436   NtSetValueKey  (168,  (168, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (168, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01100   436   NtClose  (168, ... ) == 0x0
 01101   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239976, ... ) }, 1239976, ... ) == 0x0
 01102   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239708, ... ) }, 1239708, ... ) == 0x0
 01103   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01104   436   NtSetInformationFile  (168, 1239684, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01105   436   NtClose  (168, ... ) == 0x0
 01106   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239708, ... ) }, 1239708, ... ) == 0x0
 01107   436   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01108   436   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01109   436   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01110   436   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 168, ) }, ... 168, ) == 0x0
 01111   436   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Paths"}, ... 172, ) }, ... 172, ) == 0x0
 01112   436   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path1"}, ... 176, ) }, ... 176, ) == 0x0
 01113   436   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path2"}, ... 180, ) }, ... 180, ) == 0x0
 01114   436   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path3"}, ... 184, ) }, ... 184, ) == 0x0
 01115   436   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path4"}, ... 188, ) }, ... 188, ) == 0x0
 01116   436   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Special Paths"}, ... 192, ) }, ... 192, ) == 0x0
 01117   436   NtSetValueKey  (172,  (172, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (172, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01118   436   NtSetValueKey  (172,  (172, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (172, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01119   436   NtSetValueKey  (176,  (176, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (176, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01120   436   NtSetValueKey  (180,  (180, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (180, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01121   436   NtSetValueKey  (184,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01122   436   NtSetValueKey  (188,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01123   436   NtSetValueKey  (176,  (176, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (176, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01124   436   NtSetValueKey  (180,  (180, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (180, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01125   436   NtSetValueKey  (184,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01126   436   NtSetValueKey  (188,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01127   436   NtClose  (188, ... ) == 0x0
 01128   436   NtClose  (184, ... ) == 0x0
 01129   436   NtClose  (180, ... ) == 0x0
 01130   436   NtClose  (176, ... ) == 0x0
 01131   436   NtClose  (172, ... ) == 0x0
 01132   436   NtClose  (192, ... ) == 0x0
 01133   436   NtClose  (168, ... ) == 0x0
 01134   436   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Cookies"}, ... 168, ) }, ... 168, ) == 0x0
 01135   436   NtQueryValueKey  (168,  (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   436   NtClose  (168, ... ) == 0x0
 01137   436   NtClose  (156, ... ) == 0x0
 01138   436   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Cookies"}, ... 156, ) }, ... 156, ) == 0x0
 01139   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01140   436   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 01141   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 01142   436   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01143   436   NtQueryValueKey  (168,  (168, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01144   436   NtClose  (168, ... ) == 0x0
 01145   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238644, ... ) }, 1238644, ... ) == 0x0
 01146   436   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01147   436   NtSetValueKey  (168,  (168, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (168, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01148   436   NtClose  (168, ... ) == 0x0
 01149   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1239976, ... ) }, 1239976, ... ) == 0x0
 01150   436   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01151   436   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01152   436   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01153   436   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "History"}, ... 168, ) }, ... 168, ) == 0x0
 01154   436   NtQueryValueKey  (168,  (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01155   436   NtClose  (168, ... ) == 0x0
 01156   436   NtClose  (156, ... ) == 0x0
 01157   436   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "History"}, ... 156, ) }, ... 156, ) == 0x0
 01158   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01159   436   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 01160   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 01161   436   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01162   436   NtQueryValueKey  (168,  (168, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01163   436   NtClose  (168, ... ) == 0x0
 01164   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238644, ... ) }, 1238644, ... ) == 0x0
 01165   436   NtCreateKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01166   436   NtSetValueKey  (168,  (168, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (168, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01167   436   NtClose  (168, ... ) == 0x0
 01168   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239976, ... ) }, 1239976, ... ) == 0x0
 01169   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239708, ... ) }, 1239708, ... ) == 0x0
 01170   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01171   436   NtSetInformationFile  (168, 1239684, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01172   436   NtClose  (168, ... ) == 0x0
 01173   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239708, ... ) }, 1239708, ... ) == 0x0
 01174   436   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01175   436   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01176   436   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01177   436   NtClose  (156, ... ) == 0x0
 01178   436   NtClose  (152, ... ) == 0x0
 01179   436   NtClose  (144, ... ) == 0x0
 01180   436   NtClose  (148, ... ) == 0x0
 01181   436   NtClose  (140, ... ) == 0x0
 01182   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 140, ) }, ... 140, ) == 0x0
 01183   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 148, ) }, ... 148, ) == 0x0
 01184   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01185   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 144, {status=0x0, info=1}, ) }, 3, 8388641, ... 144, {status=0x0, info=1}, ) == 0x0
 01186   436   NtQueryVolumeInformationFile  (144, 1241228, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01187   436   NtClose  (144, ... ) == 0x0
 01188   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 144, {status=0x0, info=1}, ) }, 3, 8388641, ... 144, {status=0x0, info=1}, ) == 0x0
 01189   436   NtQueryVolumeInformationFile  (144, 1241252, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01190   436   NtClose  (144, ... ) == 0x0
 01191   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 01192   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 144, {status=0x0, info=1}, ) }, 7, 2113568, ... 144, {status=0x0, info=1}, ) == 0x0
 01193   436   NtSetInformationFile  (144, 1241556, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01194   436   NtClose  (144, ... ) == 0x0
 01195   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1379752, 1241572,  (0xc0100080, {24, 0, 0x40, 1379752, 1241572, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01196   436   NtSetInformationFile  (144, 1241624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01197   436   NtQueryInformationFile  (144, 1241624, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01198   436   NtClose  (144, ... ) == 0x0
 01199   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1379752, 1241556,  (0xc0100080, {24, 0, 0x40, 1379752, 1241556, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01200   436   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 152, ) }, ... 152, ) == 0x0
 01201   436   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xd00000), {0, 0}, 32768, ) == 0x0
 01202   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01203   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 156, ) }, ... 156, ) == 0x0
 01204   436   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01205   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 168, {status=0x0, info=1}, ) }, 3, 8388641, ... 168, {status=0x0, info=1}, ) == 0x0
 01206   436   NtQueryVolumeInformationFile  (168, 1241228, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01207   436   NtClose  (168, ... ) == 0x0
 01208   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 168, {status=0x0, info=1}, ) }, 3, 8388641, ... 168, {status=0x0, info=1}, ) == 0x0
 01209   436   NtQueryVolumeInformationFile  (168, 1241252, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01210   436   NtClose  (168, ... ) == 0x0
 01211   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 01212   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01213   436   NtSetInformationFile  (168, 1241556, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01214   436   NtClose  (168, ... ) == 0x0
 01215   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1379752, 1241572,  (0xc0100080, {24, 0, 0x40, 1379752, 1241572, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01216   436   NtSetInformationFile  (168, 1241624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01217   436   NtQueryInformationFile  (168, 1241624, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01218   436   NtClose  (168, ... ) == 0x0
 01219   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1379752, 1241556,  (0xc0100080, {24, 0, 0x40, 1379752, 1241556, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01220   436   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 192, ) }, ... 192, ) == 0x0
 01221   436   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xd10000), {0, 0}, 16384, ) == 0x0
 01222   436   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01223   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 172, ) }, ... 172, ) == 0x0
 01224   436   NtWaitForSingleObject  (172, 0, 0x0, ... ) == 0x0
 01225   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01226   436   NtQueryVolumeInformationFile  (176, 1241228, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01227   436   NtClose  (176, ... ) == 0x0
 01228   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01229   436   NtQueryVolumeInformationFile  (176, 1241252, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01230   436   NtClose  (176, ... ) == 0x0
 01231   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 01232   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01233   436   NtSetInformationFile  (176, 1241556, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01234   436   NtClose  (176, ... ) == 0x0
 01235   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1379752, 1241572,  (0xc0100080, {24, 0, 0x40, 1379752, 1241572, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01236   436   NtSetInformationFile  (176, 1241624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01237   436   NtQueryInformationFile  (176, 1241624, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01238   436   NtClose  (176, ... ) == 0x0
 01239   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1379752, 1241556,  (0xc0100080, {24, 0, 0x40, 1379752, 1241556, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01240   436   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01241   436   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 180, ) }, ... 180, ) == 0x0
 01242   436   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xd20000), {0, 0}, 32768, ) == 0x0
 01243   436   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01244   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 01245   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01246   436   NtSetInformationFile  (184, 1241612, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01247   436   NtClose  (184, ... ) == 0x0
 01248   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 01249   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 01250   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01251   436   NtSetInformationFile  (184, 1241612, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01252   436   NtClose  (184, ... ) == 0x0
 01253   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 01254   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01255   436   NtQueryInformationFile  (144, 1240020, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01256   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01257   436   NtOpenKey  (0xf, {24, 80, 0x40, 0, 0,  (0xf, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 184, ) }, ... 184, ) == 0x0
 01258   436   NtOpenKey  (0xf, {24, 184, 0x40, 0, 0,  (0xf, {24, 184, 0x40, 0, 0, "Extensible Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01259   436   NtClose  (184, ... ) == 0x0
 01260   436   NtWaitForSingleObject  (140, 0, {-600000000, -1}, ... ) == 0x0
 01261   436   NtEnumerateKey  (188, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (188, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01262   436   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007051420070521"}, ... 184, ) }, ... 184, ) == 0x0
 01263   436   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01264   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01265   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01266   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01267   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01268   436   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01269   436   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01270   436   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01271   436   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01272   436   NtClose  (184, ... ) == 0x0
 01273   436   NtEnumerateKey  (188, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (188, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01274   436   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007052120070528"}, ... 184, ) }, ... 184, ) == 0x0
 01275   436   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01276   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01277   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01278   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01279   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01280   436   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01281   436   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01282   436   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01283   436   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01284   436   NtClose  (184, ... ) == 0x0
 01285   436   NtEnumerateKey  (188, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (188, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01286   436   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007053120070601"}, ... 184, ) }, ... 184, ) == 0x0
 01287   436   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01288   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01289   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01290   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01291   436   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01292   436   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01293   436   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01294   436   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01295   436   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01296   436   NtClose  (184, ... ) == 0x0
 01297   436   NtEnumerateKey  (188, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01298   436   NtReleaseMutant  (140, ... 0x0, ) == 0x0
 01299   436   NtClose  (188, ... ) == 0x0
 01300   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01301   436   NtQueryInformationFile  (144, 1241948, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01302   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01303   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01304   436   NtQueryInformationFile  (144, 1242020, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01305   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01306   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01312   436   NtQueryValueKey  (188,  (188, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   436   NtClose  (188, ... ) == 0x0
 01314   436   NtQueryValueKey  (128,  (128, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   436   NtQueryValueKey  (128,  (128, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   436   NtQueryValueKey  (128,  (128, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   436   NtQueryValueKey  (128,  (128, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   436   NtQueryValueKey  (128,  (128, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   436   NtQueryValueKey  (128,  (128, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   436   NtQueryValueKey  (128,  (128, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   436   NtQueryValueKey  (128,  (128, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01322   436   NtQueryValueKey  (128,  (128, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   436   NtQueryValueKey  (128,  (128, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   436   NtQueryValueKey  (128,  (128, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   436   NtQueryValueKey  (128,  (128, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   436   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01327   436   NtQueryValueKey  (188,  (188, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   436   NtClose  (188, ... ) == 0x0
 01329   436   NtQueryValueKey  (128,  (128, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   436   NtQueryValueKey  (128,  (128, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   436   NtQueryValueKey  (128,  (128, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   436   NtQueryValueKey  (128,  (128, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   436   NtQueryValueKey  (128,  (128, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   436   NtQueryValueKey  (128,  (128, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   436   NtQueryValueKey  (128,  (128, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336   436   NtQueryValueKey  (128,  (128, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   436   NtQueryValueKey  (128,  (128, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01339   436   NtQueryValueKey  (188,  (188, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01340   436   NtClose  (188, ... ) == 0x0
 01341   436   NtQueryValueKey  (128,  (128, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   436   NtQueryValueKey  (128,  (128, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   436   NtQueryValueKey  (128,  (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01344   436   NtQueryValueKey  (128,  (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01345   436   NtQueryValueKey  (128,  (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01346   436   NtQueryValueKey  (128,  (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01347   436   NtQueryValueKey  (128,  (128, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   436   NtQueryValueKey  (128,  (128, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   436   NtQueryValueKey  (128,  (128, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   436   NtQueryValueKey  (128,  (128, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   436   NtQueryValueKey  (128,  (128, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (128, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01352   436   NtQueryValueKey  (128,  (128, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   436   NtQueryValueKey  (128,  (128, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   436   NtQueryValueKey  (128,  (128, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   436   NtQueryValueKey  (128,  (128, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   436   NtQueryValueKey  (128,  (128, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357   436   NtQueryValueKey  (128,  (128, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "WininetStartupMutex"}, ... 188, ) }, ... 188, ) == 0x0
 01359   436   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 184, ) == 0x0
 01360   436   NtQueryValueKey  (128,  (128, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01362   436   NtQueryInformationFile  (144, 1241996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01363   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01364   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "WininetConnectionMutex"}, ... 196, ) }, ... 196, ) == 0x0
 01365   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 200, ) == 0x0
 01366   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 204, ) }, ... 204, ) == 0x0
 01367   436   NtQueryValueKey  (128,  (128, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01368   436   NtQueryValueKey  (128,  (128, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01369   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 208, ) }, ... 208, ) == 0x0
 01370   436   NtQueryValueKey  (208,  (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01371   436   NtQueryValueKey  (208,  (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01372   436   NtClose  (208, ... ) == 0x0
 01373   436   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01374   436   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 208, ) == 0x0
 01375   436   NtWaitForSingleObject  (208, 0, 0x0, ... ) == 0x0
 01376   436   NtClearEvent  (208, ... ) == 0x0
 01377   436   NtSetEvent  (208, ... 0x0, ) == 0x0
 01378   436   NtClearEvent  (184, ... ) == 0x0
 01379   436   NtSetEvent  (184, ... 0x0, ) == 0x0
 01380   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240460, ... ) }, 1240460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "icmp.dll"}, 1240460, ... ) }, 1240460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 1240460, ... ) }, 1240460, ... ) == 0x0
 01384   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icmp.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01385   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01386   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01387   436   NtClose  (212, ... ) == 0x0
 01388   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01389   436   NtClose  (216, ... ) == 0x0
 01390   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240908, ... ) }, 1240908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1240908, ... ) }, 1240908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1240908, ... ) }, 1240908, ... ) == 0x0
 01394   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01395   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01396   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01397   436   NtClose  (216, ... ) == 0x0
 01398   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01399   436   NtClose  (212, ... ) == 0x0
 01400   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1240104, ... ) }, 1240104, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1240104, ... ) }, 1240104, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 01404   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01405   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01406   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01407   436   NtClose  (212, ... ) == 0x0
 01408   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01409   436   NtClose  (216, ... ) == 0x0
 01410   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239300, ... ) }, 1239300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239300, ... ) }, 1239300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239300, ... ) }, 1239300, ... ) == 0x0
 01414   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01415   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01416   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01417   436   NtClose  (216, ... ) == 0x0
 01418   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01419   436   NtClose  (212, ... ) == 0x0
 01420   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01424   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01425   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01426   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01427   436   NtClose  (212, ... ) == 0x0
 01428   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01429   436   NtClose  (216, ... ) == 0x0
 01430   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237692, ... ) }, 1237692, ... ) == 0x0
 01434   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01435   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01436   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01437   436   NtClose  (216, ... ) == 0x0
 01438   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01439   436   NtClose  (212, ... ) == 0x0
 01440   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236888, ... ) }, 1236888, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236888, ... ) }, 1236888, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236888, ... ) }, 1236888, ... ) == 0x0
 01444   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01445   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01446   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01447   436   NtClose  (212, ... ) == 0x0
 01448   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01449   436   NtClose  (216, ... ) == 0x0
 01450   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 216, ) }, ... 216, ) == 0x0
 01451   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01452   436   NtClose  (216, ... ) == 0x0
 01453   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237692, ... ) }, 1237692, ... ) == 0x0
 01457   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01458   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01459   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01460   436   NtClose  (216, ... ) == 0x0
 01461   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01462   436   NtClose  (212, ... ) == 0x0
 01463   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01467   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01468   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01469   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01470   436   NtClose  (212, ... ) == 0x0
 01471   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01472   436   NtClose  (216, ... ) == 0x0
 01473   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01477   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01478   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01479   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01480   436   NtClose  (216, ... ) == 0x0
 01481   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01482   436   NtClose  (212, ... ) == 0x0
 01483   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01487   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01488   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01489   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01490   436   NtClose  (212, ... ) == 0x0
 01491   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01492   436   NtClose  (216, ... ) == 0x0
 01493   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239300, ... ) }, 1239300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239300, ... ) }, 1239300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239300, ... ) }, 1239300, ... ) == 0x0
 01497   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01498   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01499   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01500   436   NtClose  (216, ... ) == 0x0
 01501   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01502   436   NtClose  (212, ... ) == 0x0
 01503   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01507   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01508   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01509   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01510   436   NtClose  (212, ... ) == 0x0
 01511   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01512   436   NtClose  (216, ... ) == 0x0
 01513   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01517   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01518   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01519   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01520   436   NtClose  (216, ... ) == 0x0
 01521   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01522   436   NtClose  (212, ... ) == 0x0
 01523   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237692, ... ) }, 1237692, ... ) == 0x0
 01527   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01528   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01529   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01530   436   NtClose  (212, ... ) == 0x0
 01531   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01532   436   NtClose  (216, ... ) == 0x0
 01533   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239300, ... ) }, 1239300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239300, ... ) }, 1239300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239300, ... ) }, 1239300, ... ) == 0x0
 01537   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01538   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01539   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01540   436   NtClose  (216, ... ) == 0x0
 01541   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01542   436   NtClose  (212, ... ) == 0x0
 01543   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01547   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01548   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01549   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01550   436   NtClose  (212, ... ) == 0x0
 01551   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01552   436   NtClose  (216, ... ) == 0x0
 01553   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01557   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01558   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01559   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01560   436   NtClose  (216, ... ) == 0x0
 01561   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01562   436   NtClose  (212, ... ) == 0x0
 01563   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237692, ... ) }, 1237692, ... ) == 0x0
 01567   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01568   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01569   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01570   436   NtClose  (212, ... ) == 0x0
 01571   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01572   436   NtClose  (216, ... ) == 0x0
 01573   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238496, ... ) }, 1238496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238496, ... ) }, 1238496, ... ) == 0x0
 01577   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01578   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01579   436   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01580   436   NtClose  (216, ... ) == 0x0
 01581   436   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01582   436   NtClose  (212, ... ) == 0x0
 01583   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237692, ... ) }, 1237692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237692, ... ) }, 1237692, ... ) == 0x0
 01587   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01588   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01589   436   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01590   436   NtClose  (212, ... ) == 0x0
 01591   436   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01592   436   NtClose  (216, ... ) == 0x0
 01593   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01594   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 212, ) }, ... 212, ) == 0x0
 01595   436   NtQueryValueKey  (212,  (212, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01596   436   NtClose  (212, ... ) == 0x0
 01597   436   NtAllocateVirtualMemory  (-1, 9584640, 0, 4096, 4096, 4, ... 9584640, 4096, ) == 0x0
 01598   436   NtQueryDefaultLocale  (1, 1241552, ... ) == 0x0
 01599   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01600   436   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13828096, 262144, ) == 0x0
 01601   436   NtAllocateVirtualMemory  (-1, 13828096, 0, 4096, 4096, 4, ... 13828096, 4096, ) == 0x0
 01602   436   NtAllocateVirtualMemory  (-1, 13832192, 0, 8192, 4096, 4, ... 13832192, 8192, ) == 0x0
 01603   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01604   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01605   436   NtQueryDefaultLocale  (1, 1241512, ... ) == 0x0
 01606   436   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01607   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01608   436   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01609   436   NtClose  (212, ... ) == 0x0
 01610   436   NtUserGetProcessWindowStation  (... ) == 0x28
 01611   436   NtUserGetObjectInformation  (40, 1, 1241184, 12, 1241196, ... ) == 0x1
 01612   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 212, ) }, ... 212, ) == 0x0
 01613   436   NtQueryValueKey  (212,  (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01614   436   NtClose  (212, ... ) == 0x0
 01615   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01616   436   NtQueryValueKey  (212,  (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01617   436   NtQueryValueKey  (212,  (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01618   436   NtClose  (212, ... ) == 0x0
 01619   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01620   436   NtQueryValueKey  (212,  (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01621   436   NtQueryValueKey  (212,  (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01622   436   NtClose  (212, ... ) == 0x0
 01623   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01624   436   NtQueryValueKey  (212,  (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01625   436   NtQueryValueKey  (212,  (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01626   436   NtClose  (212, ... ) == 0x0
 01627   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01628   436   NtQueryValueKey  (212,  (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01629   436   NtQueryValueKey  (212,  (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01630   436   NtClose  (212, ... ) == 0x0
 01631   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01632   436   NtQueryValueKey  (212,  (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01633   436   NtQueryValueKey  (212,  (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01634   436   NtClose  (212, ... ) == 0x0
 01635   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 212, ) }, ... 212, ) == 0x0
 01636   436   NtQueryValueKey  (212,  (212, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01637   436   NtClose  (212, ... ) == 0x0
 01638   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 01639   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 220, ) == 0x0
 01640   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 01641   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 228, ) == 0x0
 01642   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01643   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 236, ) == 0x0
 01644   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 01645   436   NtQueryValueKey  (240,  (240, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   436   NtQueryValueKey  (240,  (240, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01647   436   NtOpenKey  (0x1, {24, 240, 0x40, 0, 0,  (0x1, {24, 240, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   436   NtClose  (240, ... ) == 0x0
 01649   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1241104, ... ) }, 1241104, ... ) == 0x0
 01650   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 240, ) }, ... 240, ) == 0x0
 01651   436   NtQueryValueKey  (240,  (240, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (240, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (240, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01652   436   NtClose  (240, ... ) == 0x0
 01653   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 240, ) }, ... 240, ) == 0x0
 01654   436   NtQueryValueKey  (240,  (240, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (240, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (240, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01655   436   NtClose  (240, ... ) == 0x0
 01656   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 240, ) }, ... 240, ) == 0x0
 01658   436   NtQueryValueKey  (240,  (240, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (240, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (240, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01659   436   NtClose  (240, ... ) == 0x0
 01660   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01661   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 244, ) == 0x0
 01662   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 248, ) == 0x0
 01663   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 252, ) }, ... 252, ) == 0x0
 01664   436   NtQueryValueKey  (252,  (252, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01665   436   NtQueryValueKey  (252,  (252, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01666   436   NtQueryValueKey  (252,  (252, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01667   436   NtQueryValueKey  (252,  (252, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01668   436   NtQueryValueKey  (252,  (252, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   436   NtQueryValueKey  (252,  (252, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   436   NtQueryValueKey  (252,  (252, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   436   NtQueryValueKey  (252,  (252, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01672   436   NtQueryValueKey  (252,  (252, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01673   436   NtQueryValueKey  (252,  (252, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   436   NtQueryValueKey  (252,  (252, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01675   436   NtQueryValueKey  (252,  (252, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01676   436   NtQueryValueKey  (252,  (252, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01677   436   NtQueryValueKey  (252,  (252, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01678   436   NtQueryValueKey  (252,  (252, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01679   436   NtQueryValueKey  (252,  (252, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   436   NtQueryValueKey  (252,  (252, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   436   NtQueryValueKey  (252,  (252, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01682   436   NtQueryValueKey  (252,  (252, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01683   436   NtQueryValueKey  (252,  (252, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   436   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01685   436   NtQueryValueKey  (252,  (252, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01686   436   NtQueryValueKey  (252,  (252, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01687   436   NtQueryValueKey  (252,  (252, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01688   436   NtQueryValueKey  (252,  (252, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01689   436   NtQueryValueKey  (252,  (252, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   436   NtQueryValueKey  (252,  (252, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01691   436   NtQueryValueKey  (252,  (252, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01692   436   NtQueryValueKey  (252,  (252, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01693   436   NtQueryValueKey  (252,  (252, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01694   436   NtQueryValueKey  (252,  (252, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01695   436   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01696   436   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 256, ) }, ... 256, ) == 0x0
 01697   436   NtQueryValueKey  (256,  (256, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01698   436   NtClose  (256, ... ) == 0x0
 01699   436   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 0, 0,  (0x1f0003, {24, 72, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01700   436   NtQueryValueKey  (252,  (252, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   436   NtQueryValueKey  (252,  (252, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   436   NtQueryValueKey  (252,  (252, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   436   NtQueryValueKey  (252,  (252, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   436   NtQueryValueKey  (252,  (252, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   436   NtQueryValueKey  (252,  (252, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   436   NtQueryValueKey  (252,  (252, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   436   NtQueryValueKey  (252,  (252, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708   436   NtQueryValueKey  (252,  (252, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709   436   NtQueryValueKey  (252,  (252, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710   436   NtQueryDefaultUILanguage  (1240072, ...
 01711   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01712   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01713   436   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01714   436   NtClose  (-2147482020, ... ) == 0x0
 01715   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01716   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01717   436   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01718   436   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01719   436   NtClose  (-2147482032, ... ) == 0x0
 01720   436   NtClose  (-2147482020, ... ) == 0x0
 01710   436   NtQueryDefaultUILanguage  ... ) == 0x0
 01721   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01722   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 256, {status=0x0, info=1}, ) }, 1, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01723   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 256, ... 260, ) == 0x0
 01724   436   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd90000), 0x0, 163840, ) == 0x0
 01725   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01726   436   NtQueryDefaultLocale  (1, 1238108, ... ) == 0x0
 01727   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01728   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238964, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238964, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0\360Z\333\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\264\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1513, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0\360Z\333\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\264\356\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1513, 0}  (24, {128, 156, new_msg, 0, 1238964, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0\360Z\333\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\264\356\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1513, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\353\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\0\1\0\0\377\377\377\377\0\0\0\0\360Z\333\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\264\356\22\0\0\0\0\0" )  ) == 0x0
 01729   436   NtClose  (256, ... ) == 0x0
 01730   436   NtClose  (260, ... ) == 0x0
 01731   436   NtUnmapViewOfSection  (-1, 0xd90000, ... ) == 0x0
 01732   436   NtUnmapViewOfSection  (-1, 0x12eeb4, ... ) == STATUS_NOT_MAPPED_VIEW
 01733   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01734   436   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01735   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01736   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01737   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01738   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237192, ... ) }, 1237192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01740   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01741   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01742   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237784, ... ) }, 1237784, ... ) == 0x0
 01743   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 260, {status=0x0, info=1}, ) }, 3, 33, ... 260, {status=0x0, info=1}, ) == 0x0
 01744   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01745   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 256, ) }, ... 256, ) == 0x0
 01746   436   NtQueryValueKey  (256,  (256, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   436   NtQueryValueKey  (256,  (256, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   436   NtClose  (256, ... ) == 0x0
 01749   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 256, ) == 0x0
 01750   436   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 1389288, 0,  (0x1f0001, {24, 72, 0x80, 1389288, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01751   436   NtOpenMutant  (0x100000, {24, 72, 0x0, 0, 0,  (0x100000, {24, 72, 0x0, 0, 0, "RasPbFile"}, ... 264, ) }, ... 264, ) == 0x0
 01752   436   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 268, ) == 0x0
 01753   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 272, ) == 0x0
 01754   436   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 276, ) == 0x0
 01755   436   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 280, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 280, 2, ) , 0, ... 280, 2, ) == 0x0
 01756   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 284, ) }, ... 284, ) == 0x0
 01757   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   436   NtQueryValueKey  (284,  (284, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   436   NtQueryValueKey  (280,  (280, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   436   NtQueryValueKey  (284,  (284, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   436   NtQueryValueKey  (280,  (280, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01763   436   NtQueryValueKey  (284,  (284, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   436   NtQueryValueKey  (280,  (280, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   436   NtQueryValueKey  (284,  (284, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   436   NtQueryValueKey  (280,  (280, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   436   NtQueryValueKey  (284,  (284, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   436   NtQueryValueKey  (284,  (284, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01769   436   NtQueryValueKey  (284,  (284, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01770   436   NtQueryValueKey  (284,  (284, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01771   436   NtQueryValueKey  (284,  (284, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   436   NtQueryValueKey  (284,  (284, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   436   NtQueryValueKey  (284,  (284, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01774   436   NtQueryValueKey  (280,  (280, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01775   436   NtQueryValueKey  (284,  (284, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   436   NtQueryValueKey  (284,  (284, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   436   NtQueryValueKey  (280,  (280, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   436   NtQueryValueKey  (284,  (284, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   436   NtQueryValueKey  (280,  (280, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   436   NtQueryValueKey  (284,  (284, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01781   436   NtQueryValueKey  (280,  (280, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01782   436   NtQueryValueKey  (284,  (284, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   436   NtQueryValueKey  (280,  (280, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   436   NtQueryValueKey  (284,  (284, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785   436   NtQueryValueKey  (280,  (280, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01786   436   NtQueryValueKey  (284,  (284, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   436   NtQueryValueKey  (280,  (280, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01788   436   NtQueryValueKey  (284,  (284, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   436   NtQueryValueKey  (280,  (280, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01790   436   NtQueryValueKey  (284,  (284, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   436   NtQueryValueKey  (280,  (280, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01792   436   NtQueryValueKey  (284,  (284, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   436   NtQueryValueKey  (284,  (284, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   436   NtQueryValueKey  (284,  (284, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01795   436   NtQueryValueKey  (284,  (284, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01796   436   NtQueryValueKey  (284,  (284, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   436   NtQueryValueKey  (284,  (284, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   436   NtQueryValueKey  (284,  (284, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   436   NtQueryValueKey  (284,  (284, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01800   436   NtQueryValueKey  (284,  (284, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801   436   NtQueryValueKey  (284,  (284, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   436   NtQueryValueKey  (284,  (284, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   436   NtQueryValueKey  (284,  (284, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01804   436   NtQueryValueKey  (284,  (284, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 288, ) }, ... 288, ) == 0x0
 01806   436   NtQueryValueKey  (288,  (288, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01807   436   NtClose  (288, ... ) == 0x0
 01808   436   NtClose  (280, ... ) == 0x0
 01809   436   NtClose  (284, ... ) == 0x0
 01810   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 284, ) }, ... 284, ) == 0x0
 01811   436   NtQueryValueKey  (284,  (284, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01812   436   NtQueryValueKey  (284,  (284, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01813   436   NtQueryValueKey  (284,  (284, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01814   436   NtClose  (284, ... ) == 0x0
 01815   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01816   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 280, ) == 0x0
 01817   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 288, ) == 0x0
 01818   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01819   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14221312, 65536, ) == 0x0
 01820   436   NtAllocateVirtualMemory  (-1, 14221312, 0, 4096, 4096, 4, ... 14221312, 4096, ) == 0x0
 01821   436   NtAllocateVirtualMemory  (-1, 14225408, 0, 8192, 4096, 4, ... 14225408, 8192, ) == 0x0
 01822   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 292, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 292, {status=0x0, info=0}, ) == 0x0
 01823   436   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 296, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 296, {status=0x0, info=0}, ) == 0x0
 01824   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 300, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 300, {status=0x0, info=0}, ) == 0x0
 01825   436   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 304, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 304, {status=0x0, info=0}, ) == 0x0
 01826   436   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241636,  (0x20100080, {24, 0, 0x40, 0, 1241636, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 308, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 308, {status=0x0, info=0}, ) == 0x0
 01827   436   NtAllocateVirtualMemory  (-1, 14233600, 0, 36864, 4096, 4, ... 14233600, 36864, ) == 0x0
 01828   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01829   436   NtDeviceIoControlFile  (292, 312, 0x0, 0x0, 0x120003,  (292, 312, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (292, 312, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01830   436   NtClose  (312, ... ) == 0x0
 01831   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01832   436   NtDeviceIoControlFile  (292, 312, 0x0, 0x0, 0x120003,  (292, 312, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\.\253\326\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (292, 312, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\.\253\326\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01833   436   NtClose  (312, ... ) == 0x0
 01834   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01835   436   NtDeviceIoControlFile  (292, 312, 0x0, 0x0, 0x120003,  (292, 312, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0{.\253\326|\335\3\0\26\1\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\345\200\0\0\313\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (292, 312, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0{.\253\326|\335\3\0\26\1\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\345\200\0\0\313\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01836   436   NtClose  (312, ... ) == 0x0
 01837   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01839   436   NtDeviceIoControlFile  (292, 312, 0x0, 0x0, 0x120003,  (292, 312, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (292, 312, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01840   436   NtClose  (312, ... ) == 0x0
 01841   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01842   436   NtDeviceIoControlFile  (292, 312, 0x0, 0x0, 0x120003,  (292, 312, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (292, 312, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01843   436   NtClose  (312, ... ) == 0x0
 01844   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 312, ) == 0x0
 01845   436   NtDeviceIoControlFile  (292, 312, 0x0, 0x0, 0x120003,  (292, 312, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (292, 312, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01846   436   NtClose  (312, ... ) == 0x0
 01847   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01848   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01849   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01850   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01851   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01852   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01853   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01854   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01855   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01856   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01857   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01858   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01859   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01860   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01861   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01862   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01863   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01864   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01865   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01866   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01867   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01868   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01869   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01870   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01871   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01872   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01873   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01874   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01875   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01876   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01877   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01878   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01879   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01880   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01881   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01882   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01883   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01884   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01885   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01886   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01887   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01888   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01889   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01890   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01891   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01892   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01893   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01894   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01895   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01896   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01897   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01898   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01899   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01900   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01901   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01902   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01903   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01904   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01905   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01906   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01907   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01908   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01909   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01910   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01911   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01912   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01913   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01914   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01915   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01916   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01917   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01918   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01919   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01920   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01921   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01922   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01923   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01924   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01925   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01926   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01927   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01928   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01929   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01930   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01931   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01932   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01933   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01934   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01935   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01936   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01937   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01938   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01939   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01940   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01941   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01942   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01943   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01944   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01945   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01946   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01947   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01948   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01949   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01950   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01951   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01952   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01953   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01954   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01955   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01956   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01957   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01958   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01959   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01960   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01961   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01962   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01963   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01964   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01965   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01966   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01967   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01968   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01969   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 1, 4096, 4, ... 14286848, 4096, ) == 0x0
 01970   436   NtQueryVirtualMemory  (-1, 0xda0000, Basic, 28, ... {BaseAddress=0xda0000,AllocationBase=0xda0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01971   436   NtFreeVirtualMemory  (-1, (0xda0000), 0, 32768, ... (0xda0000), 65536, ) == 0x0
 01972   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 312, ) }, ... 312, ) == 0x0
 01973   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 316, ) }, ... 316, ) == 0x0
 01974   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 320, ) }, ... 320, ) == 0x0
 01975   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 324, ) }, ... 324, ) == 0x0
 01976   436   NtQueryDefaultLocale  (1, 1241572, ... ) == 0x0
 01977   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240460, ... ) }, 1240460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "odbc32.dll"}, 1240460, ... ) }, 1240460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 1240460, ... ) }, 1240460, ... ) == 0x0
 01981   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbc32.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 01982   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 332, ) == 0x0
 01983   436   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01984   436   NtClose  (328, ... ) == 0x0
 01985   436   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 01986   436   NtClose  (332, ... ) == 0x0
 01987   436   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 01988   436   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 01989   436   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 01990   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 332, ) }, ... 332, ) == 0x0
 01991   436   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 01992   436   NtClose  (332, ... ) == 0x0
 01993   436   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 01994   436   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 01995   436   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 01996   436   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 01997   436   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 01998   436   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 01999   436   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02000   436   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02001   436   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02002   436   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02003   436   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02004   436   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 02005   436   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 02006   436   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 02007   436   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 02008   436   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 02009   436   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 02010   436   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02011   436   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 02012   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02014   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02015   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02016   436   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14286848, 262144, ) == 0x0
 02017   436   NtAllocateVirtualMemory  (-1, 14286848, 0, 4096, 4096, 4, ... 14286848, 4096, ) == 0x0
 02018   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02019   436   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14548992, 262144, ) == 0x0
 02020   436   NtAllocateVirtualMemory  (-1, 14548992, 0, 4096, 4096, 4, ... 14548992, 4096, ) == 0x0
 02021   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02022   436   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14811136, 262144, ) == 0x0
 02023   436   NtAllocateVirtualMemory  (-1, 14811136, 0, 4096, 4096, 4, ... 14811136, 4096, ) == 0x0
 02024   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02025   436   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 15073280, 262144, ) == 0x0
 02026   436   NtAllocateVirtualMemory  (-1, 15073280, 0, 4096, 4096, 4, ... 15073280, 4096, ) == 0x0
 02027   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02028   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02029   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02030   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02031   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236432, ... ) }, 1236432, ... ) == 0x0
 02032   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02033   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 332, ... 328, ) == 0x0
 02034   436   NtClose  (332, ... ) == 0x0
 02035   436   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xea0000), 0x0, 90112, ) == 0x0
 02036   436   NtClose  (328, ... ) == 0x0
 02037   436   NtUnmapViewOfSection  (-1, 0xea0000, ... ) == 0x0
 02038   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1236748, ... ) }, 1236748, ... ) == 0x0
 02039   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02040   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 332, ) == 0x0
 02041   436   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02042   436   NtClose  (328, ... ) == 0x0
 02043   436   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 02044   436   NtClose  (332, ... ) == 0x0
 02045   436   NtQueryDefaultLocale  (1, 1238436, ... ) == 0x0
 02046   436   NtAllocateVirtualMemory  (-1, 14290944, 0, 4096, 4096, 4, ... 14290944, 4096, ) == 0x0
 02047   436   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02048   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 332, ) }, ... 332, ) == 0x0
 02049   436   NtClose  (332, ... ) == 0x0
 02050   436   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   436   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02053   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02055   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240460, ... ) }, 1240460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02056   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "avicap32.dll"}, 1240460, ... ) }, 1240460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02057   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 1240460, ... ) }, 1240460, ... ) == 0x0
 02058   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\avicap32.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02059   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 328, ) == 0x0
 02060   436   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02061   436   NtClose  (332, ... ) == 0x0
 02062   436   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 02063   436   NtClose  (328, ... ) == 0x0
 02064   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02065   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239656, ... ) }, 1239656, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MSVFW32.dll"}, 1239656, ... ) }, 1239656, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 1239656, ... ) }, 1239656, ... ) == 0x0
 02068   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSVFW32.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02069   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 332, ) == 0x0
 02070   436   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02071   436   NtClose  (328, ... ) == 0x0
 02072   436   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73bd0000), 0x0, 126976, ) == 0x0
 02073   436   NtClose  (332, ... ) == 0x0
 02074   436   NtProtectVirtualMemory  (-1, (0x73bd1000), 952, 4, ... (0x73bd1000), 4096, 32, ) == 0x0
 02075   436   NtProtectVirtualMemory  (-1, (0x73bd1000), 4096, 32, ... (0x73bd1000), 4096, 4, ) == 0x0
 02076   436   NtFlushInstructionCache  (-1, 1941770240, 952, ... ) == 0x0
 02077   436   NtQueryDefaultLocale  (1, 1240412, ... ) == 0x0
 02078   436   NtQueryDefaultLocale  (1, 1240416, ... ) == 0x0
 02079   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02080   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02081   436   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 15335424, 4096, ) == 0x0
 02082   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 15400960, 4096, ) == 0x0
 02083   436   NtCreateMutant  (0x1f0001, {24, 72, 0x80, 0, 0,  (0x1f0001, {24, 72, 0x80, 0, 0, "FEnR"}, 0, ... 332, ) }, 0, ... 332, ) == 0x0
 02084   436   NtAllocateVirtualMemory  (-1, 0, 0, 25, 4096, 64, ... 15466496, 4096, ) == 0x0
 02085   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 15532032, 4096, ) == 0x0
 02086   436   NtWaitForSingleObject  (332, 0, {-300000000, -1}, ... ) == 0x0
 02087   436   NtAllocateVirtualMemory  (-1, 0, 0, 42, 4096, 64, ... 15597568, 4096, ) == 0x0
 02088   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 15663104, 4096, ) == 0x0
 02089   436   NtAllocateVirtualMemory  (-1, 0, 0, 15, 4096, 64, ... 15728640, 4096, ) == 0x0
 02090   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 15794176, 4096, ) == 0x0
 02091   436   NtAllocateVirtualMemory  (-1, 0, 0, 53, 4096, 64, ... 15859712, 4096, ) == 0x0
 02092   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 15925248, 4096, ) == 0x0
 02093   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 1242404, ... ) }, 1242404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02094   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241320,  (0x80100080, {24, 0, 0x40, 0, 1241320, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02095   436   NtQueryInformationFile  (328, 1242256, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02096   436   NtQueryInformationFile  (328, 1242228, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02097   436   NtQueryInformationFile  (328, 1242180, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02098   436   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 02099   436   NtQueryInformationFile  (328, 1393176, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02100   436   NtQueryInformationFile  (328, 1240724, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02101   436   NtQueryInformationFile  (328, 1240568, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02102   436   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240576,  (0x40110080, {24, 0, 0x40, 0, 1240576, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02103   436   NtClose  (-2147482020, ... ) == 0x0
 02102   436   NtCreateFile  ... 336, {status=0x0, info=2}, ) == 0x0
 02104   436   NtQueryVolumeInformationFile  (336, 1239948, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 02105   436   NtQueryInformationFile  (336, 1239908, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02106   436   NtQueryVolumeInformationFile  (328, 1239948, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02107   436   NtQueryVolumeInformationFile  (328, 1239632, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02108   436   NtSetInformationFile  (336, 1239736, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02109   436   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 328, ... 340, ) == 0x0
 02110   436   NtMapViewOfSection  (340, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf40000), {0, 0}, 225280, ) == 0x0
 02111   436   NtClose  (340, ... ) == 0x0
 02112   436   NtWriteFile  (336, 0, 0, 0,  (336, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0b\333o\254&\272\1\377&\272\1\377&\272\1\377]\246\15\377$\272\1\377\245\246\17\377?\272\1\377I\245\12\377*\272\1\377I\245\13\377Z\272\1\377&\272\0\377\253\272\1\377\245\262\\377!\272\1\377r\2310\377\33\272\1\377Rich&\272\1\377\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\302D\345F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0b\2\0\0t\13\0\0\0\0\0\0\20\0\0\0\20\0\0\0\200\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\17\0\0\4\0\0\12}\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0P\12\16\0\4\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\11\16\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0p\2\0\0\20\0\0\0$\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02113   436   NtWriteFile  (336, 0, 0, 0,  (336, 0, 0, 0, "\20\210\271\1\340A\2265\24\27\347\317\337\223j\344C@h\202\222\210n\277\275\34\350\216\314\13\205:\21\214S\236\36\323\232\205\252x\342\245\36\331\322_N\26`\200?\310\246\273\220M?\251\366\233\245@g\337b\207\364\313\265\221u\222\14\261\275\32\316\335-\334w\372\15P\362\347\251\264b\200\336F\2210\227\342\347\26J\276\326\224\2241\364\317[\233\360\216"2o\27+\32x\2366"\357\230\304\26\307\341Yw\24r\232\352\220\373}\231\344\325V\373\27\203\372U"\320\257|\315\336I\340\210%E2\376\265FC\223\213\212\234\233\262\263X\232\241\254\322o\235cG@m\223\373s\37\27\242D6\177\362\15\305\346f\263S?\37X\36&\320F\22\21\203\216\361\256D\335kI\342\13|I\244\26A47N{~\266\16\227r\5\5\211\373\2\341\236\342\236\11Q\371%\215M\350tc(\223\303}\354I\357\3460\3\250\315\315}\235\2304\305i\271\311\215/kC\364:.\234sw\366\232\235\352\367\12\307C\215\326\223\31\33\352\264i*d\2412c\216\0]\254\22w\225\357\222d.\222\362\14v/\277\5TI*\201>\210\354\316\331\360\312.\0\231\4py\254+\204\374n\341\264\2275\15\347\201\30T\251\240\24:r\2646\220p\266\311\214A\350\312\347\365Bj\226\306TM\315X\331|\305\2253\267}\221QG\365Q\300\177\200\232\230\236\212\213A\2\21Y\230\241\23t\4-\21\@T.&\260\2230A\5\177\270G\224yT\301k\337\11N\201ok\1g\274\356de\139EG\306\371\220\0\354\311\317\276"\351\266h\274\16\266\254\356\24\232\317d\36F\231*\4\231\22p!6jdT\336\352\377\273\377&(*\350B\303\236\211\373\204\253\215\26I/\232l\13\216\325\303", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 2o\27+\32x\2366 (336, 0, 0, 0, "\20\210\271\1\340A\2265\24\27\347\317\337\223j\344C@h\202\222\210n\277\275\34\350\216\314\13\205:\21\214S\236\36\323\232\205\252x\342\245\36\331\322_N\26`\200?\310\246\273\220M?\251\366\233\245@g\337b\207\364\313\265\221u\222\14\261\275\32\316\335-\334w\372\15P\362\347\251\264b\200\336F\2210\227\342\347\26J\276\326\224\2241\364\317[\233\360\216"2o\27+\32x\2366"\357\230\304\26\307\341Yw\24r\232\352\220\373}\231\344\325V\373\27\203\372U"\320\257|\315\336I\340\210%E2\376\265FC\223\213\212\234\233\262\263X\232\241\254\322o\235cG@m\223\373s\37\27\242D6\177\362\15\305\346f\263S?\37X\36&\320F\22\21\203\216\361\256D\335kI\342\13|I\244\26A47N{~\266\16\227r\5\5\211\373\2\341\236\342\236\11Q\371%\215M\350tc(\223\303}\354I\357\3460\3\250\315\315}\235\2304\305i\271\311\215/kC\364:.\234sw\366\232\235\352\367\12\307C\215\326\223\31\33\352\264i*d\2412c\216\0]\254\22w\225\357\222d.\222\362\14v/\277\5TI*\201>\210\354\316\331\360\312.\0\231\4py\254+\204\374n\341\264\2275\15\347\201\30T\251\240\24:r\2646\220p\266\311\214A\350\312\347\365Bj\226\306TM\315X\331|\305\2253\267}\221QG\365Q\300\177\200\232\230\236\212\213A\2\21Y\230\241\23t\4-\21\@T.&\260\2230A\5\177\270G\224yT\301k\337\11N\201ok\1g\274\356de\139EG\306\371\220\0\354\311\317\276"\351\266h\274\16\266\254\356\24\232\317d\36F\231*\4\231\22p!6jdT\336\352\377\273\377&(*\350B\303\236\211\373\204\253\215\26I/\232l\13\216\325\303", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \320\257|\315\336I\340\210%E2\376\265FC\223\213\212\234\233\262\263X\232\241\254\322o\235cG@m\223\373s\37\27\242D6\177\362\15\305\346f\263S?\37X\36&\320F\22\21\203\216\361\256D\335kI\342\13|I\244\26A47N{~\266\16\227r\5\5\211\373\2\341\236\342\236\11Q\371%\215M\350tc(\223\303}\354I\357\3460\3\250\315\315}\235\2304\305i\271\311\215/kC\364:.\234sw\366\232\235\352\367\12\307C\215\326\223\31\33\352\264i*d\2412c\216\0]\254\22w\225\357\222d.\222\362\14v/\277\5TI*\201>\210\354\316\331\360\312.\0\231\4py\254+\204\374n\341\264\2275\15\347\201\30T\251\240\24:r\2646\220p\266\311\214A\350\312\347\365Bj\226\306TM\315X\331|\305\2253\267}\221QG\365Q\300\177\200\232\230\236\212\213A\2\21Y\230\241\23t\4-\21\@T.&\260\2230A\5\177\270G\224yT\301k\337\11N\201ok\1g\274\356de\139EG\306\371\220\0\354\311\317\276 (336, 0, 0, 0, "\20\210\271\1\340A\2265\24\27\347\317\337\223j\344C@h\202\222\210n\277\275\34\350\216\314\13\205:\21\214S\236\36\323\232\205\252x\342\245\36\331\322_N\26`\200?\310\246\273\220M?\251\366\233\245@g\337b\207\364\313\265\221u\222\14\261\275\32\316\335-\334w\372\15P\362\347\251\264b\200\336F\2210\227\342\347\26J\276\326\224\2241\364\317[\233\360\216"2o\27+\32x\2366"\357\230\304\26\307\341Yw\24r\232\352\220\373}\231\344\325V\373\27\203\372U"\320\257|\315\336I\340\210%E2\376\265FC\223\213\212\234\233\262\263X\232\241\254\322o\235cG@m\223\373s\37\27\242D6\177\362\15\305\346f\263S?\37X\36&\320F\22\21\203\216\361\256D\335kI\342\13|I\244\26A47N{~\266\16\227r\5\5\211\373\2\341\236\342\236\11Q\371%\215M\350tc(\223\303}\354I\357\3460\3\250\315\315}\235\2304\305i\271\311\215/kC\364:.\234sw\366\232\235\352\367\12\307C\215\326\223\31\33\352\264i*d\2412c\216\0]\254\22w\225\357\222d.\222\362\14v/\277\5TI*\201>\210\354\316\331\360\312.\0\231\4py\254+\204\374n\341\264\2275\15\347\201\30T\251\240\24:r\2646\220p\266\311\214A\350\312\347\365Bj\226\306TM\315X\331|\305\2253\267}\221QG\365Q\300\177\200\232\230\236\212\213A\2\21Y\230\241\23t\4-\21\@T.&\260\2230A\5\177\270G\224yT\301k\337\11N\201ok\1g\274\356de\139EG\306\371\220\0\354\311\317\276"\351\266h\274\16\266\254\356\24\232\317d\36F\231*\4\231\22p!6jdT\336\352\377\273\377&(*\350B\303\236\211\373\204\253\215\26I/\232l\13\216\325\303", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02114   436   NtWriteFile  (336, 0, 0, 0,  (336, 0, 0, 0, "\322\12\345\211\0\331\223*\23\261l\22[\17\325\236\213\274\366\37\207_W\300\206@0\374?N\0|L=\22}&\1C\0~")\361\351\317\331\2>\274B?\371\0\362\215\4:M\177$\7\373R\241\360\372\20bGL\337\0\251\207@\222y1p\210\0\213O\374\3614\203J\4\3x\33\212\6F\301\331~\24\364\325\20\07\211\313;\303\363\246\25\0`t\14\212\22\354Z\35\5\377W\10^A\300u\370:'\0Q\230j\220C1\377(\0\233H\374\302\257#\203x\0\340ou\35\354\350\11*\371\373\241\207\34\365\204\370\245:\0u\213\356@\32p\374\220\7\256P0\334(`\14\233\224\252\72\311\322\372!\2609\361|G\0\266K\235\200,P\4\351uo\270\264\04\324\312\262]E\3330\35\310)\367\36\363\200@=Y\6\211\332\0[\351G\23J\3036\234?\270\250\203\201\354\340\1\243\340\372\342|\0\265A\3507<\220\35\360\0y \363(}\200\12$\37\377u1@\333\343j\205\25\256\7\37Y\34[\304\20\311\370\252"\3MPX1t\365\224\301\206\2652\371f\300K\16\373\207\312RF\316`IX\20\226\05\321"\327\14Y \232\0P;[\222\24\210\354\0D.S\212\250$9O\0\263\23a\16b|\211\6\35\342Lu@\251\5\243\22\11\377\0.\344m\24O\177\354\236\3R\376|K\371\340\301\335\211 \355\372\0\326\240\255\6\345\364\1\200\0\\370\277{\316\12\13\250\0F\36\14\220X?\15\240\0b\177\16@{\17\310f\22\210\262\22\0\330\216Y\223Xo\366"\317*\1\300\177\12\230\326\351\3E\322\333\24R\363\360\31\353x\0\221\32\70X,\314\35Xj\250\1D-a\324(\273\360\20\300\3443\4P\224\363\376R\300\240\211\325\213\0T", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) )\361\351\317\331\2>\274B?\371\0\362\215\4:M\177$\7\373R\241\360\372\20bGL\337\0\251\207@\222y1p\210\0\213O\374\3614\203J\4\3x\33\212\6F\301\331~\24\364\325\20\07\211\313;\303\363\246\25\0`t\14\212\22\354Z\35\5\377W\10^A\300u\370:'\0Q\230j\220C1\377(\0\233H\374\302\257#\203x\0\340ou\35\354\350\11*\371\373\241\207\34\365\204\370\245:\0u\213\356@\32p\374\220\7\256P0\334(`\14\233\224\252\72\311\322\372!\2609\361|G\0\266K\235\200,P\4\351uo\270\264\04\324\312\262]E\3330\35\310)\367\36\363\200@=Y\6\211\332\0[\351G\23J\3036\234?\270\250\203\201\354\340\1\243\340\372\342|\0\265A\3507<\220\35\360\0y \363(}\200\12$\37\377u1@\333\343j\205\25\256\7\37Y\34[\304\20\311\370\252 (336, 0, 0, 0, "\322\12\345\211\0\331\223*\23\261l\22[\17\325\236\213\274\366\37\207_W\300\206@0\374?N\0|L=\22}&\1C\0~")\361\351\317\331\2>\274B?\371\0\362\215\4:M\177$\7\373R\241\360\372\20bGL\337\0\251\207@\222y1p\210\0\213O\374\3614\203J\4\3x\33\212\6F\301\331~\24\364\325\20\07\211\313;\303\363\246\25\0`t\14\212\22\354Z\35\5\377W\10^A\300u\370:'\0Q\230j\220C1\377(\0\233H\374\302\257#\203x\0\340ou\35\354\350\11*\371\373\241\207\34\365\204\370\245:\0u\213\356@\32p\374\220\7\256P0\334(`\14\233\224\252\72\311\322\372!\2609\361|G\0\266K\235\200,P\4\351uo\270\264\04\324\312\262]E\3330\35\310)\367\36\363\200@=Y\6\211\332\0[\351G\23J\3036\234?\270\250\203\201\354\340\1\243\340\372\342|\0\265A\3507<\220\35\360\0y \363(}\200\12$\37\377u1@\333\343j\205\25\256\7\37Y\34[\304\20\311\370\252"\3MPX1t\365\224\301\206\2652\371f\300K\16\373\207\312RF\316`IX\20\226\05\321"\327\14Y \232\0P;[\222\24\210\354\0D.S\212\250$9O\0\263\23a\16b|\211\6\35\342Lu@\251\5\243\22\11\377\0.\344m\24O\177\354\236\3R\376|K\371\340\301\335\211 \355\372\0\326\240\255\6\345\364\1\200\0\\370\277{\316\12\13\250\0F\36\14\220X?\15\240\0b\177\16@{\17\310f\22\210\262\22\0\330\216Y\223Xo\366"\317*\1\300\177\12\230\326\351\3E\322\333\24R\363\360\31\353x\0\221\32\70X,\314\35Xj\250\1D-a\324(\273\360\20\300\3443\4P\224\363\376R\300\240\211\325\213\0T", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \327\14Y \232\0P;[\222\24\210\354\0D.S\212\250$9O\0\263\23a\16b|\211\6\35\342Lu@\251\5\243\22\11\377\0.\344m\24O\177\354\236\3R\376|K\371\340\301\335\211 \355\372\0\326\240\255\6\345\364\1\200\0\\370\277{\316\12\13\250\0F\36\14\220X?\15\240\0b\177\16@{\17\310f\22\210\262\22\0\330\216Y\223Xo\366 (336, 0, 0, 0, "\322\12\345\211\0\331\223*\23\261l\22[\17\325\236\213\274\366\37\207_W\300\206@0\374?N\0|L=\22}&\1C\0~")\361\351\317\331\2>\274B?\371\0\362\215\4:M\177$\7\373R\241\360\372\20bGL\337\0\251\207@\222y1p\210\0\213O\374\3614\203J\4\3x\33\212\6F\301\331~\24\364\325\20\07\211\313;\303\363\246\25\0`t\14\212\22\354Z\35\5\377W\10^A\300u\370:'\0Q\230j\220C1\377(\0\233H\374\302\257#\203x\0\340ou\35\354\350\11*\371\373\241\207\34\365\204\370\245:\0u\213\356@\32p\374\220\7\256P0\334(`\14\233\224\252\72\311\322\372!\2609\361|G\0\266K\235\200,P\4\351uo\270\264\04\324\312\262]E\3330\35\310)\367\36\363\200@=Y\6\211\332\0[\351G\23J\3036\234?\270\250\203\201\354\340\1\243\340\372\342|\0\265A\3507<\220\35\360\0y \363(}\200\12$\37\377u1@\333\343j\205\25\256\7\37Y\34[\304\20\311\370\252"\3MPX1t\365\224\301\206\2652\371f\300K\16\373\207\312RF\316`IX\20\226\05\321"\327\14Y \232\0P;[\222\24\210\354\0D.S\212\250$9O\0\263\23a\16b|\211\6\35\342Lu@\251\5\243\22\11\377\0.\344m\24O\177\354\236\3R\376|K\371\340\301\335\211 \355\372\0\326\240\255\6\345\364\1\200\0\\370\277{\316\12\13\250\0F\36\14\220X?\15\240\0b\177\16@{\17\310f\22\210\262\22\0\330\216Y\223Xo\366"\317*\1\300\177\12\230\326\351\3E\322\333\24R\363\360\31\353x\0\221\32\70X,\314\35Xj\250\1D-a\324(\273\360\20\300\3443\4P\224\363\376R\300\240\211\325\213\0T", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02115   436   NtWriteFile  (336, 0, 0, 0,  (336, 0, 0, 0, ";\350\364\34?\200\200j\12\215&N\10\0tO\347\3\214\355\36\351\0}\340\256Q<\366P\22\17V@\253# =\365\11\352\1\1\374\263\311\376"e\205\350\13P\364\257\3iB\366\1772\16\347 X\276e<\27S!\347\377\37\22\335\21\0\317Eb\16\276\23\0q\324\260\222G\235\214\14\7\244<\3\243\220P\275\354\325\203\1\205\306\12Sx\307R\354T\370\0\3\206\220P$\351\7M\0d7\203*\255\204\212C\5H\221J\22\233\300\12A0s\251\376\250\0\270\272B\334\12s\25E\0=\311\34ZK\332\202M\0W\224\341G9u\0'\365Q\252\355BO\0\246$\22\343|G\207\366\4\225\223\20\277\24\200|Z\242@\7\235\364\2\350\221wh\365\333\300V\370\376%\34\323*X\337(\200\3\362\211BE\316\2\300\34&\~!]@\30\334<\30P#5\20\22\302\0_2\374\30\12T\205\304`\324\3041\320\33~<\207\220\201\257MX\20\344\16\344`\27\22\274\12\331\13\202\10\217\266\240\353@7U\326?R\245\200C4\333\15W\374\250\0\177\206\265\22E\20\221\372\3\314\27\270s\312\342\0\340kJ\336\202\21b\37\0U\31>\212\244\2379\23\0T\373\353\262l\302\270\2348\11\324\201O\6x)\21\236aX\310\257\363\0t \334\367\2\340\375L\0#\21T"B\322\203\301\0H\324\362\247%\311u\31\2\342r\177\244t\373\340\307\216\264\16\367q\360,\340\205\34\203\207\343\362\2\0P\212\351\26\372\321\13\223?\303\215\37\2052@\261\4)\20:\250;}\242\0~'1\6+C<\0\241c\14S$\312\223]\344\37\37\340\370;\376\0(\17\203\262\213\2150\0", 40960, 0x0, 0, ... {status=0x0, info=40960}, ) e\205\350\13P\364\257\3iB\366\1772\16\347 X\276e<\27S!\347\377\37\22\335\21\0\317Eb\16\276\23\0q\324\260\222G\235\214\14\7\244<\3\243\220P\275\354\325\203\1\205\306\12Sx\307R\354T\370\0\3\206\220P$\351\7M\0d7\203*\255\204\212C\5H\221J\22\233\300\12A0s\251\376\250\0\270\272B\334\12s\25E\0=\311\34ZK\332\202M\0W\224\341G334\317\0q\210\330D\307\3769\3560J\340\32\351U\14\0\233\224H\223\221\322\201\266>9u\0'\365Q\252\355BO\0\246$\22\343|G\207\366\4\225\223\20\277\24\200|Z\242@\7\235\364\2\350\221wh\365\333\300V\370\376%\34\323*X\337(\200\3\362\211BE\316\2\300\34&\~!]@\30\334<\30P#5\20\22\302\0_2\374\30\12T\205\304`\324\3041\320\33~<\207\220\201\257MX\20\344\16\344`\27\22\274\12\331\13\202\10\217\266\240\353@7U\326?R\245\200C4\333\15W\374\250\0\177\206\265\22E\20\221\372\3\314\27\270s\312\342\0\340kJ\336\202\21b\37\0U\31>\212\244\2379\23\0T\373\353\262l\302\270\2348\11\324\201O\6x)\21\236aX\310\257\363\0t \334\367\2\340\375L\0#\21T (336, 0, 0, 0, ";\350\364\34?\200\200j\12\215&N\10\0tO\347\3\214\355\36\351\0}\340\256Q<\366P\22\17V@\253# =\365\11\352\1\1\374\263\311\376"e\205\350\13P\364\257\3iB\366\1772\16\347 X\276e<\27S!\347\377\37\22\335\21\0\317Eb\16\276\23\0q\324\260\222G\235\214\14\7\244<\3\243\220P\275\354\325\203\1\205\306\12Sx\307R\354T\370\0\3\206\220P$\351\7M\0d7\203*\255\204\212C\5H\221J\22\233\300\12A0s\251\376\250\0\270\272B\334\12s\25E\0=\311\34ZK\332\202M\0W\224\341G9u\0'\365Q\252\355BO\0\246$\22\343|G\207\366\4\225\223\20\277\24\200|Z\242@\7\235\364\2\350\221wh\365\333\300V\370\376%\34\323*X\337(\200\3\362\211BE\316\2\300\34&\~!]@\30\334<\30P#5\20\22\302\0_2\374\30\12T\205\304`\324\3041\320\33~<\207\220\201\257MX\20\344\16\344`\27\22\274\12\331\13\202\10\217\266\240\353@7U\326?R\245\200C4\333\15W\374\250\0\177\206\265\22E\20\221\372\3\314\27\270s\312\342\0\340kJ\336\202\21b\37\0U\31>\212\244\2379\23\0T\373\353\262l\302\270\2348\11\324\201O\6x)\21\236aX\310\257\363\0t \334\367\2\340\375L\0#\21T"B\322\203\301\0H\324\362\247%\311u\31\2\342r\177\244t\373\340\307\216\264\16\367q\360,\340\205\34\203\207\343\362\2\0P\212\351\26\372\321\13\223?\303\215\37\2052@\261\4)\20:\250;}\242\0~'1\6+C<\0\241c\14S$\312\223]\344\37\37\340\370;\376\0(\17\203\262\213\2150\0", 40960, 0x0, 0, ... {status=0x0, info=40960}, ) , 40960, 0x0, 0, ... {status=0x0, info=40960}, ) == 0x0
 02116   436   NtUnmapViewOfSection  (-1, 0xf40000, ... ) == 0x0
 02117   436   NtSetInformationFile  (336, 1242180, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02118   436   NtClose  (328, ... ) == 0x0
 02119   436   NtClose  (336, ... ) == 0x0
 02120   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241320, ... ) }, 1241320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241320, ... ) }, 1241320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\explorer.exe"}, 1241320, ... ) }, 1241320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241320, ... ) }, 1241320, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241320, ... ) }, 1241320, ... ) == 0x0
 02125   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242076,  (0x80100080, {24, 0, 0x40, 0, 1242076, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 02126   436   NtAllocateVirtualMemory  (-1, 0, 0, 27, 4096, 64, ... 15990784, 4096, ) == 0x0
 02127   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 16056320, 4096, ) == 0x0
 02128   436   NtQueryInformationFile  (336, 1242128, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02129   436   NtClose  (336, ... ) == 0x0
 02130   436   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242076,  (0x40100080, {24, 0, 0x40, 0, 1242076, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 02131   436   NtAllocateVirtualMemory  (-1, 0, 0, 27, 4096, 64, ... 16121856, 4096, ) == 0x0
 02132   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 16187392, 4096, ) == 0x0
 02133   436   NtSetInformationFile  (336, 1242128, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02134   436   NtClose  (336, ... ) == 0x0
 02135   436   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 16252928, 4096, ) == 0x0
 02136   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 16318464, 4096, ) == 0x0
 02137   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 7, 2113568, ... 336, {status=0x0, info=1}, ) }, 7, 2113568, ... 336, {status=0x0, info=1}, ) == 0x0
 02138   436   NtSetInformationFile  (336, 1242380, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02139   436   NtClose  (336, ... ) == 0x0
 02140   436   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 16384000, 4096, ) == 0x0
 02141   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 16449536, 4096, ) == 0x0
 02142   436   NtAllocateVirtualMemory  (-1, 0, 0, 84, 4096, 64, ... 16515072, 4096, ) == 0x0
 02143   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 16580608, 4096, ) == 0x0
 02144   436   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {432, 0}, ... 336, ) == 0x0
 02145   436   NtAllocateVirtualMemory  (-1, 0, 0, 52, 4096, 64, ... 16646144, 4096, ) == 0x0
 02146   436   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 16711680, 4096, ) == 0x0
 02147   436   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02148   436   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02149   436   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 328, ... 340, ) == 0x0
 02150   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 344, ) }, ... 344, ) == 0x0
 02152   436   NtQueryValueKey  (344,  (344, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153   436   NtClose  (344, ... ) == 0x0
 02154   436   NtQueryVolumeInformationFile  (328, 1238876, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02155   436   NtOpenMutant  (0x120001, {24, 72, 0x0, 0, 0,  (0x120001, {24, 72, 0x0, 0, 0, "ShimCacheMutex"}, ... 344, ) }, ... 344, ) == 0x0
 02156   436   NtWaitForSingleObject  (344, 0, {-1000000, -1}, ... ) == 0x0
 02157   436   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "ShimSharedMemory"}, ... 348, ) }, ... 348, ) == 0x0
 02158   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1000000), {0, 0}, 57344, ) == 0x0
 02159   436   NtReleaseMutant  (344, ... 0x0, ) == 0x0
 02160   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236860, ... ) }, 1236860, ... ) == 0x0
 02161   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02162   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 352, ... 356, ) == 0x0
 02163   436   NtClose  (352, ... ) == 0x0
 02164   436   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1010000), 0x0, 106496, ) == 0x0
 02165   436   NtClose  (356, ... ) == 0x0
 02166   436   NtUnmapViewOfSection  (-1, 0x1010000, ... ) == 0x0
 02167   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237176, ... ) }, 1237176, ... ) == 0x0
 02168   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 356, {status=0x0, info=1}, ) }, 5, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 02169   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 356, ... 352, ) == 0x0
 02170   436   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02171   436   NtClose  (356, ... ) == 0x0
 02172   436   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02173   436   NtClose  (352, ... ) == 0x0
 02174   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02175   436   NtQueryInformationFile  (352, 1237464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02176   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 352, ... 356, ) == 0x0
 02177   436   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1010000), 0x0, 1028096, ) == 0x0
 02178   436   NtQueryInformationFile  (352, 1237560, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02179   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02181   436   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02182   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02183   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1235124, 616, BothDirectory, 1,  (360, 0, 0, 0, 1235124, 616, BothDirectory, 1, "amsucbvtvge.exe", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02184   436   NtClose  (360, ... ) == 0x0
 02185   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02186   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02187   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 1234512, ... ) }, 1234512, ... ) == 0x0
 02188   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02189   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1233872, 616, BothDirectory, 1,  (360, 0, 0, 0, 1233872, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02190   436   NtClose  (360, ... ) == 0x0
 02191   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02192   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1233872, 616, BothDirectory, 1,  (360, 0, 0, 0, 1233872, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02193   436   NtClose  (360, ... ) == 0x0
 02194   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02195   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02196   436   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02197   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02198   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02199   436   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02200   436   NtClose  (360, ... ) == 0x0
 02201   436   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   436   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\amsucbvtvge.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02204   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02205   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 1236792, ... ) }, 1236792, ... ) == 0x0
 02206   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02207   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1236152, 616, BothDirectory, 1,  (360, 0, 0, 0, 1236152, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02208   436   NtClose  (360, ... ) == 0x0
 02209   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02210   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1236152, 616, BothDirectory, 1,  (360, 0, 0, 0, 1236152, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02211   436   NtClose  (360, ... ) == 0x0
 02212   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02213   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02214   436   NtWaitForSingleObject  (344, 0, {-1000000, -1}, ... ) == 0x0
 02215   436   NtQueryVolumeInformationFile  (328, 1237436, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02216   436   NtQueryInformationFile  (328, 1237416, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02217   436   NtQueryInformationFile  (328, 1237456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02218   436   NtReleaseMutant  (344, ... 0x0, ) == 0x0
 02219   436   NtUnmapViewOfSection  (-1, 0x1010000, ... ) == 0x0
 02220   436   NtClose  (356, ... ) == 0x0
 02221   436   NtClose  (352, ... ) == 0x0
 02222   436   NtQuerySection  (340, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02223   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amsucbvtvge.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   436   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02225   436   NtOpenProcessToken  (-1, 0xa, ... 352, ) == 0x0
 02226   436   NtQueryInformationToken  (352, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02227   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 356, ) }, ... 356, ) == 0x0
 02229   436   NtQueryValueKey  (356,  (356, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (356, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02230   436   NtQueryValueKey  (356,  (356, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (356, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02231   436   NtClose  (356, ... ) == 0x0
 02232   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 356, ) }, ... 356, ) == 0x0
 02233   436   NtQueryValueKey  (356,  (356, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02234   436   NtQueryValueKey  (356,  (356, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (356, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02235   436   NtClose  (356, ... ) == 0x0
 02236   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 356, ) }, ... 356, ) == 0x0
 02238   436   NtQueryValueKey  (356,  (356, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   436   NtClose  (356, ... ) == 0x0
 02240   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02241   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02242   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02243   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02244   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02245   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02246   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02247   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02248   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02249   436   NtQueryDefaultLocale  (1, 1238248, ... ) == 0x0
 02250   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 356, ) }, ... 356, ) == 0x0
 02251   436   NtEnumerateKey  (356, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (356, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02252   436   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 360, ) }, ... 360, ) == 0x0
 02253   436   NtQueryValueKey  (360,  (360, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (360, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02254   436   NtQueryValueKey  (360,  (360, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (360, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02255   436   NtClose  (360, ... ) == 0x0
 02256   436   NtEnumerateKey  (356, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02257   436   NtClose  (356, ... ) == 0x0
 02258   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02259   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02267   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02270   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02271   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02273   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02274   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02275   436   NtClose  (356, ... ) == 0x0
 02276   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02277   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02278   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02279   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02280   436   NtClose  (356, ... ) == 0x0
 02281   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02282   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02283   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02284   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02285   436   NtClose  (356, ... ) == 0x0
 02286   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02288   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02289   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02290   436   NtClose  (356, ... ) == 0x0
 02291   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02292   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02293   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02294   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02295   436   NtClose  (356, ... ) == 0x0
 02296   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02298   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02299   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02300   436   NtClose  (356, ... ) == 0x0
 02301   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02302   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02303   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02304   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02305   436   NtClose  (356, ... ) == 0x0
 02306   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02307   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02308   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02309   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02310   436   NtClose  (356, ... ) == 0x0
 02311   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02313   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02314   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02315   436   NtClose  (356, ... ) == 0x0
 02316   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02318   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02319   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02320   436   NtClose  (356, ... ) == 0x0
 02321   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02322   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02323   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02324   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02325   436   NtClose  (356, ... ) == 0x0
 02326   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02327   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02328   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02329   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02330   436   NtClose  (356, ... ) == 0x0
 02331   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02332   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02333   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02334   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02335   436   NtClose  (356, ... ) == 0x0
 02336   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02337   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02338   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02339   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02340   436   NtClose  (356, ... ) == 0x0
 02341   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02343   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02344   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02345   436   NtClose  (356, ... ) == 0x0
 02346   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02347   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 356, ) }, ... 356, ) == 0x0
 02348   436   NtQueryValueKey  (356,  (356, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (356, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (356, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02349   436   NtClose  (356, ... ) == 0x0
 02350   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02351   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02352   436   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02353   436   NtClose  (356, ... ) == 0x0
 02354   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   436   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02356   436   NtOpenProcessToken  (-1, 0xa, ... 356, ) == 0x0
 02357   436   NtDuplicateToken  (356, 0xc, {24, 0, 0x0, 0, 1238768, 0x0}, 0, 2, ... 360, ) == 0x0
 02358   436   NtClose  (356, ... ) == 0x0
 02359   436   NtAccessCheck  (1399696, 360, 0x1, 1238896, 1238840, 56, 1238924, ... (0x1), ) == 0x0
 02360   436   NtClose  (360, ... ) == 0x0
 02361   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 360, ) }, ... 360, ) == 0x0
 02362   436   NtQueryValueKey  (360,  (360, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (360, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02363   436   NtClose  (360, ... ) == 0x0
 02364   436   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 360, ) }, ... 360, ) == 0x0
 02365   436   NtQuerySymbolicLinkObject  (360, ...  (360, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02366   436   NtClose  (360, ... ) == 0x0
 02367   436   NtQueryInformationFile  (328, 1237228, 528, Name, ... {status=0x0, info=70}, ) == 0x0
 02368   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02369   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02370   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe"}, 1235908, ... ) }, 1235908, ... ) == 0x0
 02371   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02372   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1235268, 616, BothDirectory, 1,  (360, 0, 0, 0, 1235268, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02373   436   NtClose  (360, ... ) == 0x0
 02374   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02375   436   NtQueryDirectoryFile  (360, 0, 0, 0, 1235268, 616, BothDirectory, 1,  (360, 0, 0, 0, 1235268, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02376   436   NtClose  (360, ... ) == 0x0
 02377   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02378   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02379   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02380   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02381   436   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02382   436   NtClose  (360, ... ) == 0x0
 02383   436   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 360, ) }, ... 360, ) == 0x0
 02384   436   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 356, ) }, ... 356, ) == 0x0
 02385   436   NtClose  (360, ... ) == 0x0
 02386   436   NtQueryValueKey  (356,  (356, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02387   436   NtQueryValueKey  (356,  (356, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (356, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02388   436   NtClose  (356, ... ) == 0x0
 02389   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 16842752, 4096, ) == 0x0
 02390   436   NtAllocateVirtualMemory  (-1, 16842752, 0, 4096, 4096, 4, ... 16842752, 4096, ) == 0x0
 02391   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 356, ) }, ... 356, ) == 0x0
 02392   436   NtQueryValueKey  (356,  (356, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02393   436   NtClose  (356, ... ) == 0x0
 02394   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02395   436   NtQueryInformationToken  (352, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02396   436   NtQueryInformationToken  (352, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02397   436   NtClose  (352, ... ) == 0x0
 02398   436   NtCreateProcessEx  (1241504, 2035711, 0, -1, 4, 340, 0, 0, 0, ... ) == 0x0
 02399   436   NtSetInformationProcess  (352, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 02400   436   NtQueryInformationProcess  (352, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=432,}, 0x0, ) == 0x0
 02401   436   NtReadVirtualMemory  (352, 0x7ffdf008, 4, ...  (352, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02402   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\amsucbvtvge.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   436   NtReadVirtualMemory  (352, 0x400000, 4096, ...  (352, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0b\333o\254&\272\1\377&\272\1\377&\272\1\377]\246\15\377$\272\1\377\245\246\17\377?\272\1\377I\245\12\377*\272\1\377I\245\13\377Z\272\1\377&\272\0\377\253\272\1\377\245\262\\377!\272\1\377r\2310\377\33\272\1\377Rich&\272\1\377\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\302D\345F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0b\2\0\0t\13\0\0\0\0\0\0\20\0\0\0\20\0\0\0\200\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\17\0\0\4\0\0\12}\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0P\12\16\0\4\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\11\16\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0p\2\0\0\20\0\0\0$\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02404   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02405   436   NtQueryInformationProcess  (352, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=588,ParentPid=432,}, 0x0, ) == 0x0
 02406   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1239568, ... ) }, 1239568, ... ) == 0x0
 02407   436   NtAllocateVirtualMemory  (-1, 0, 0, 1668, 4096, 4, ... 16908288, 4096, ) == 0x0
 02408   436   NtAllocateVirtualMemory  (352, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02409   436   NtWriteVirtualMemory  (352, 0x10000,  (352, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02410   436   NtAllocateVirtualMemory  (352, 0, 0, 1668, 4096, 4, ... 131072, 4096, ) == 0x0
 02411   436   NtWriteVirtualMemory  (352, 0x20000,  (352, 0x20000, "\0\20\0\0\204\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0F\0H\0\230\5\0\0x\0z\0\340\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0\\6\0\0\36\0 \0`\6\0\0\0\0\2\0\200\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1668, ... 0x0, ) , 1668, ... 0x0, ) == 0x0
 02412   436   NtWriteVirtualMemory  (352, 0x7ffdf010,  (352, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02413   436   NtWriteVirtualMemory  (352, 0x7ffdf1e8,  (352, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02414   436   NtFreeVirtualMemory  (-1, (0x1020000), 0, 32768, ... (0x1020000), 4096, ) == 0x0
 02415   436   NtAllocateVirtualMemory  (352, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02416   436   NtAllocateVirtualMemory  (352, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02417   436   NtProtectVirtualMemory  (352, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02418   436   NtCreateThread  (0x1f03ff, 0x0, 352, 1239768, 1240488, 1, ... 356, {588, 580}, ) == 0x0
 02419   436   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1391520, 1241588}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1391520, 1241588} "\0\0\0\0\0\0\1\0\2$\370w U\367wc\1\0\0d\1\0\0L\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 432, 436, 1514, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w`\1\0\0d\1\0\0L\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 432, 436, 1514, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1391520, 1241588} "\0\0\0\0\0\0\1\0\2$\370w U\367wc\1\0\0d\1\0\0L\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 432, 436, 1514, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w`\1\0\0d\1\0\0L\2\0\0D\2\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\350\6\24\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02420   436   NtResumeThread  (356, ... 1, ) == 0x0
 02421   436   NtClose  (328, ... ) == 0x0
 02422   436   NtClose  (340, ... ) == 0x0
 02423   436   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02424   436   NtClose  (352, ... ) == 0x0
 02425   436   NtClose  (356, ... ) == 0x0
 02426   436   NtTerminateProcess  (0, 0, ... ) == 0x0
 02427   436   NtFreeVirtualMemory  (-1, (0xd90000), 0, 32768, ... (0xd90000), 65536, ) == 0x0
 02428   436   NtClose  (292, ... ) == 0x0
 02429   436   NtClose  (296, ... ) == 0x0
 02430   436   NtClose  (304, ... ) == 0x0
 02431   436   NtClose  (300, ... ) == 0x0
 02432   436   NtClose  (308, ... ) == 0x0
 02433   436   NtClose  (280, ... ) == 0x0
 02434   436   NtClose  (288, ... ) == 0x0
 02435   436   NtClose  (324, ... ) == 0x0
 02436   436   NtClose  (320, ... ) == 0x0
 02437   436   NtClose  (316, ... ) == 0x0
 02438   436   NtClose  (312, ... ) == 0x0
 02439   436   NtClose  (284, ... ) == 0x0
 02440   436   NtClose  (268, ... ) == 0x0
 02441   436   NtClose  (264, ... ) == 0x0
 02442   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 02443   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 02444   436   NtClose  (256, ... ) == 0x0
 02445   436   NtUnmapViewOfSection  (-1, 0xd70000, ... ) == 0x0
 02446   436   NtClose  (260, ... ) == 0x0
 02447   436   NtClose  (252, ... ) == 0x0
 02448   436   NtClose  (240, ... ) == 0x0
 02449   436   NtClose  (244, ... ) == 0x0
 02450   436   NtClose  (248, ... ) == 0x0
 02451   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 02452   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02453   436   NtWaitForMultipleObjects  (2, (212, 220, ), 1, 0, 0x0, ... ) == 0x1
 02454   436   NtClose  (220, ... ) == 0x0
 02455   436   NtSetEvent  (212, ... 0x0, ) == 0x0
 02456   436   NtClose  (212, ... ) == 0x0
 02457   436   NtWaitForMultipleObjects  (2, (224, 228, ), 1, 0, 0x0, ... ) == 0x1
 02458   436   NtClose  (228, ... ) == 0x0
 02459   436   NtSetEvent  (224, ... 0x0, ) == 0x0
 02460   436   NtClose  (224, ... ) == 0x0
 02461   436   NtWaitForMultipleObjects  (2, (232, 236, ), 1, 0, 0x0, ... ) == 0x1
 02462   436   NtClose  (236, ... ) == 0x0
 02463   436   NtSetEvent  (232, ... 0x0, ) == 0x0
 02464   436   NtClose  (232, ... ) == 0x0
 02465   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02466   436   NtFreeVirtualMemory  (-1, (0xd30000), 0, 32768, ... (0xd30000), 262144, ) == 0x0
 02467   436   NtUserUnregisterClass  (1241888, 1991376896, 1241876, ... ) == 0x0
 02468   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc03b
 02469   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02470   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc03d
 02471   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02472   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc03f
 02473   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02474   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc041
 02475   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02476   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc043
 02477   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02478   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc045
 02479   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02480   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc047
 02481   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02482   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc049
 02483   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02484   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc04b
 02485   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02486   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc04d
 02487   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02488   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc04f
 02489   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02490   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc051
 02491   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02492   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc053
 02493   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02494   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc057
 02495   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02496   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc059
 02497   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02498   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc05b
 02499   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02500   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc05d
 02501   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02502   436   NtUserGetClassInfo  (1999896576, 1241976, 1241928, 1242004, 0, ... ) == 0xc05f
 02503   436   NtUserUnregisterClass  (1241980, 1999896576, 1241968, ... ) == 0x1
 02504   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02505   436   NtClose  (160, ... ) == 0x0
 02506   436   NtUnmapViewOfSection  (-1, 0xce0000, ... ) == 0x0
 02507   436   NtClose  (164, ... ) == 0x0
 02508   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02509   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02510   436   NtClose  (132, ... ) == 0x0
 02511   436   NtClose  (120, ... ) == 0x0
 02512   436   NtClose  (136, ... ) == 0x0
 02513   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc03b
 02514   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02515   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc03d
 02516   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02517   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc03f
 02518   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02519   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc041
 02520   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02521   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc043
 02522   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02523   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc045
 02524   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02525   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc047
 02526   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02527   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc049
 02528   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02529   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc04b
 02530   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02531   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc04d
 02532   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02533   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc04f
 02534   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02535   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc051
 02536   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02537   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc053
 02538   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02539   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc057
 02540   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02541   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc059
 02542   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02543   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc05b
 02544   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02545   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc05d
 02546   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02547   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc05f
 02548   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02549   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc017
 02550   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02551   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc019
 02552   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02553   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc018
 02554   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02555   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc01a
 02556   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02557   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc01c
 02558   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02559   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc01e
 02560   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02561   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc01b
 02562   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02563   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc068
 02564   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02565   436   NtUserGetClassInfo  (1905590272, 1241976, 1241928, 1242004, 0, ... ) == 0xc06a
 02566   436   NtUserUnregisterClass  (1241980, 1905590272, 1241968, ... ) == 0x1
 02567   436   NtUnmapViewOfSection  (-1, 0xcf0000, ... ) == 0x0
 02568   436   NtClose  (128, ... ) == 0x0
 02569   436   NtClose  (112, ... ) == 0x0
 02570   436   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02571   436   NtClearEvent  (184, ... ) == 0x0
 02572   436   NtSetEvent  (184, ... 0x0, ) == 0x0
 02573   436   NtClose  (184, ... ) == 0x0
 02574   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02575   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02576   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02577   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02578   436   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 02579   436   NtClose  (84, ... ) == 0x0
 02580   436   NtGdiDeleteObjectApp  (722469901, ... ) == 0x1
 02581   436   NtUserGetProcessWindowStation  (... ) == 0x28
 02582   436   NtUserBuildNameList  (40, 256, 1375120, 1241928, ... ) == 0x0
 02583   436   NtUserGetProcessWindowStation  (... ) == 0x28
 02584   436   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x54
 02585   436   NtUserBuildHwndList  (84, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x50036, 0x20062, 0x10080, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x1008c, 0x1007c, 0x10026, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x1007e, 0x10076, 0x1, ), 34, ) == 0x0
 02586   436   NtUserQueryWindow  (65706, 0, ... ) == 0x7f0
 02587   436   NtUserQueryWindow  (65706, 1, ... ) == 0x7f4
 02588   436   NtUserQueryWindow  (65704, 0, ... ) == 0x7f0
 02589   436   NtUserQueryWindow  (65704, 1, ... ) == 0x7f4
 02590   436   NtUserQueryWindow  (65702, 0, ... ) == 0x7f0
 02591   436   NtUserQueryWindow  (65702, 1, ... ) == 0x7f4
 02592   436   NtUserQueryWindow  (327734, 0, ... ) == 0x7f0
 02593   436   NtUserQueryWindow  (327734, 1, ... ) == 0x7f4
 02594   436   NtUserQueryWindow  (131170, 0, ... ) == 0x784
 02595   436   NtUserQueryWindow  (131170, 1, ... ) == 0x794
 02596   436   NtUserQueryWindow  (65664, 0, ... ) == 0x784
 02597   436   NtUserQueryWindow  (65664, 1, ... ) == 0x794
 02598   436   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 02599   436   NtUserQueryWindow  (65666, 0, ... ) == 0x784
 02600   436   NtUserQueryWindow  (65666, 1, ... ) == 0x794
 02601   436   NtUserQueryWindow  (65670, 0, ... ) == 0x784
 02602   436   NtUserQueryWindow  (65670, 1, ... ) == 0x794
 02603   436   NtUserQueryWindow  (65672, 0, ... ) == 0x784
 02604   436   NtUserQueryWindow  (65672, 1, ... ) == 0x794
 02605   436   NtUserQueryWindow  (65674, 0, ... ) == 0x784
 02606   436   NtUserQueryWindow  (65674, 1, ... ) == 0x794
 02607   436   NtUserQueryWindow  (65678, 0, ... ) == 0x784
 02608   436   NtUserQueryWindow  (65678, 1, ... ) == 0x794
 02609   436   NtUserQueryWindow  (65680, 0, ... ) == 0x784
 02610   436   NtUserQueryWindow  (65680, 1, ... ) == 0x794
 02611   436   NtUserQueryWindow  (65682, 0, ... ) == 0x784
 02612   436   NtUserQueryWindow  (65682, 1, ... ) == 0x794
 02613   436   NtUserQueryWindow  (65684, 0, ... ) == 0x784
 02614   436   NtUserQueryWindow  (65684, 1, ... ) == 0x794
 02615   436   NtUserQueryWindow  (65686, 0, ... ) == 0x784
 02616   436   NtUserQueryWindow  (65686, 1, ... ) == 0x794
 02617   436   NtUserQueryWindow  (65694, 0, ... ) == 0x784
 02618   436   NtUserQueryWindow  (65694, 1, ... ) == 0x794
 02619   436   NtUserQueryWindow  (65696, 0, ... ) == 0x784
 02620   436   NtUserQueryWindow  (65696, 1, ... ) == 0x794
 02621   436   NtUserQueryWindow  (65698, 0, ... ) == 0x784
 02622   436   NtUserQueryWindow  (65698, 1, ... ) == 0x794
 02623   436   NtUserQueryWindow  (65652, 0, ... ) == 0x784
 02624   436   NtUserQueryWindow  (65652, 1, ... ) == 0x794
 02625   436   NtUserQueryWindow  (65640, 0, ... ) == 0x784
 02626   436   NtUserQueryWindow  (65640, 1, ... ) == 0x794
 02627   436   NtUserQueryWindow  (196682, 0, ... ) == 0x784
 02628   436   NtUserQueryWindow  (196682, 1, ... ) == 0x794
 02629   436   NtUserQueryWindow  (65638, 0, ... ) == 0x784
 02630   436   NtUserQueryWindow  (65638, 1, ... ) == 0x794
 02631   436   NtUserQueryWindow  (196684, 0, ... ) == 0x784
 02632   436   NtUserQueryWindow  (196684, 1, ... ) == 0x794
 02633   436   NtUserQueryWindow  (196668, 0, ... ) == 0x784
 02634   436   NtUserQueryWindow  (196668, 1, ... ) == 0x794
 02635   436   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 02636   436   NtUserQueryWindow  (196670, 0, ... ) == 0x784
 02637   436   NtUserQueryWindow  (196670, 1, ... ) == 0x794
 02638   436   NtUserQueryWindow  (196674, 0, ... ) == 0x784
 02639   436   NtUserQueryWindow  (196674, 1, ... ) == 0x794
 02640   436   NtUserQueryWindow  (196672, 0, ... ) == 0x784
 02641   436   NtUserQueryWindow  (196672, 1, ... ) == 0x794
 02642   436   NtUserQueryWindow  (196676, 0, ... ) == 0x784
 02643   436   NtUserQueryWindow  (196676, 1, ... ) == 0x794
 02644   436   NtUserQueryWindow  (196678, 0, ... ) == 0x784
 02645   436   NtUserQueryWindow  (196678, 1, ... ) == 0x794
 02646   436   NtUserQueryWindow  (196680, 0, ... ) == 0x784
 02647   436   NtUserQueryWindow  (196680, 1, ... ) == 0x794
 02648   436   NtUserQueryWindow  (65642, 0, ... ) == 0x784
 02649   436   NtUserQueryWindow  (65642, 1, ... ) == 0x794
 02650   436   NtUserQueryWindow  (65646, 0, ... ) == 0x784
 02651   436   NtUserQueryWindow  (65646, 1, ... ) == 0x794
 02652   436   NtUserQueryWindow  (65650, 0, ... ) == 0x784
 02653   436   NtUserQueryWindow  (65650, 1, ... ) == 0x794
 02654   436   NtUserQueryWindow  (65692, 0, ... ) == 0x784
 02655   436   NtUserQueryWindow  (65692, 1, ... ) == 0x794
 02656   436   NtUserQueryWindow  (65676, 0, ... ) == 0x784
 02657   436   NtUserQueryWindow  (65676, 1, ... ) == 0x794
 02658   436   NtUserQueryWindow  (65660, 0, ... ) == 0x784
 02659   436   NtUserQueryWindow  (65660, 1, ... ) == 0x788
 02660   436   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02661   436   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 02662   436   NtUserQueryWindow  (65726, 0, ... ) == 0x7f8
 02663   436   NtUserQueryWindow  (65726, 1, ... ) == 0x7fc
 02664   436   NtUserQueryWindow  (65724, 0, ... ) == 0x7f8
 02665   436   NtUserQueryWindow  (65724, 1, ... ) == 0x7fc
 02666   436   NtUserQueryWindow  (65722, 0, ... ) == 0x7f8
 02667   436   NtUserQueryWindow  (65722, 1, ... ) == 0x7fc
 02668   436   NtUserQueryWindow  (65720, 0, ... ) == 0x7f8
 02669   436   NtUserQueryWindow  (65720, 1, ... ) == 0x7fc
 02670   436   NtUserQueryWindow  (65718, 0, ... ) == 0x7f8
 02671   436   NtUserQueryWindow  (65718, 1, ... ) == 0x7fc
 02672   436   NtUserQueryWindow  (65716, 0, ... ) == 0x7f8
 02673   436   NtUserQueryWindow  (65716, 1, ... ) == 0x7fc
 02674   436   NtUserQueryWindow  (65714, 0, ... ) == 0x7f8
 02675   436   NtUserQueryWindow  (65714, 1, ... ) == 0x7fc
 02676   436   NtUserQueryWindow  (65712, 0, ... ) == 0x7f8
 02677   436   NtUserQueryWindow  (65712, 1, ... ) == 0x7fc
 02678   436   NtUserQueryWindow  (131172, 0, ... ) == 0x78
 02679   436   NtUserQueryWindow  (131172, 1, ... ) == 0x7c
 02680   436   NtUserQueryWindow  (65708, 0, ... ) == 0x7f0
 02681   436   NtUserQueryWindow  (65708, 1, ... ) == 0x7f4
 02682   436   NtUserQueryWindow  (131166, 0, ... ) == 0x7e8
 02683   436   NtUserQueryWindow  (131166, 1, ... ) == 0x7ec
 02684   436   NtUserQueryWindow  (65644, 0, ... ) == 0x784
 02685   436   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 02686   436   NtUserQueryWindow  (327760, 0, ... ) == 0x784
 02687   436   NtUserQueryWindow  (327760, 1, ... ) == 0x788
 02688   436   NtUserQueryWindow  (262228, 0, ... ) == 0x784
 02689   436   NtUserQueryWindow  (262228, 1, ... ) == 0x788
 02690   436   NtUserQueryWindow  (327758, 0, ... ) == 0x784
 02691   436   NtUserQueryWindow  (327758, 1, ... ) == 0x788
 02692   436   NtUserQueryWindow  (65662, 0, ... ) == 0x784
 02693   436   NtUserQueryWindow  (65662, 1, ... ) == 0x788
 02694   436   NtUserQueryWindow  (65654, 0, ... ) == 0x784
 02695   436   NtUserQueryWindow  (65654, 1, ... ) == 0x788
 02696   436   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 02697   436   NtUserQueryWindow  (65656, 0, ... ) == 0x784
 02698   436   NtUserQueryWindow  (65656, 1, ... ) == 0x788
 02699   436   NtUserQueryWindow  (65658, 0, ... ) == 0x784
 02700   436   NtUserQueryWindow  (65658, 1, ... ) == 0x788
 02701   436   NtUserCloseDesktop  (84, ...
 02702   436   NtClose  (84, ... ) == 0x0
 02701   436   NtUserCloseDesktop  ... ) == 0x1
 02703   436   NtUserGetProcessWindowStation  (... ) == 0x28
 02704   436   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02705   436   NtUserGetProcessWindowStation  (... ) == 0x28
 02706   436   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02707   436   NtGdiDeleteObjectApp  (352977931, ... ) == 0x1
 02708   436   NtGdiDeleteObjectApp  (134874072, ... ) == 0x1
 02709   436   NtClose  (76, ... ) == 0x0
 02710   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02711   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02712   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02713   436   NtFreeVirtualMemory  (-1, (0x1010000), 4096, 32768, ... (0x1010000), 4096, ) == 0x0
 02714   436   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 65536, 4455860, 1, 68}  (24, {20, 48, new_msg, 0, 65536, 4455860, 1, 68} "\0\0\0\0\3\0\1\003\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 432, 436, 1531, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 432, 436, 1531, 0}  (24, {20, 48, new_msg, 0, 65536, 4455860, 1, 68} "\0\0\0\0\3\0\1\003\25\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 432, 436, 1531, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02715   436   NtTerminateProcess  (-1, 0, ...
 02716   436   NtClose  (44, ... ) == 0x0