Summary:


NtAddAtom(>)  1 
NtFsControlFile(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryInformationFile(>)  21 

NtCallbackReturn(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtCreateEvent(>)  23 

NtCreateMutant(>)  1 
NtGdiHfontCreate(>)  2 
NtOpenThreadToken(>)  6 
NtQueryInformationProcess(>)  23 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtSetEvent(>)  7 
NtQueryDirectoryFile(>)  24 

NtDelayExecution(>)  1 
NtOpenEvent(>)  2 
NtSetValueKey(>)  7 
NtCreateFile(>)  28 

NtEnumerateValueKey(>)  1 
NtOpenProcess(>)  2 
NtUserBuildHwndList(>)  7 
NtOpenProcessTokenEx(>)  33 

NtGdiCreateBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtOpenMutant(>)  8 
NtOpenThreadTokenEx(>)  33 

NtGdiCreatePatternBrushInternal(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtOpenProcessToken(>)  9 
NtOpenSection(>)  40 

NtGdiInit(>)  1 
NtReadVirtualMemory(>)  2 
NtSetInformationProcess(>)  9 
NtQueryInformationToken(>)  40 

NtGdiQueryFontAssocInfo(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtUserCallNoParam(>)  9 
NtQuerySystemInformation(>)  41 

NtGdiSelectBitmap(>)  1 
NtResumeThread(>)  2 
NtCreateKey(>)  10 
NtUserGetAtomName(>)  47 

NtOpenKeyedEvent(>)  1 
NtSetEventBoostPriority(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtUserUnregisterClass(>)  47 

NtQueryEvent(>)  1 
NtTestAlert(>)  2 
NtReleaseMutant(>)  10 
NtUserFindExistingCursorIcon(>)  50 

NtQueryInformationJobObject(>)  1 
NtClearEvent(>)  3 
NtUserGetWindowDC(>)  10 
NtFreeVirtualMemory(>)  56 

NtQueryInformationThread(>)  1 
NtContinue(>)  3 
NtCreateSemaphore(>)  11 
NtQueryVirtualMemory(>)  57 

NtQueryInstallUILanguage(>)  1 
NtDuplicateObject(>)  3 
NtEnumerateKey(>)  12 
NtMapViewOfSection(>)  60 

NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserCallOneParam(>)  12 
NtUserRegisterClassExWOW(>)  61 

NtQueryTimerResolution(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtUserSystemParametersInfo(>)  12 
NtOpenFile(>)  64 

NtReadFile(>)  1 
NtNotifyChangeKey(>)  3 
NtSetInformationThread(>)  13 
NtQueryAttributesFile(>)  76 

NtSecureConnectPort(>)  1 
NtQueryPerformanceCounter(>)  3 
NtQueryVolumeInformationFile(>)  15 
NtCreateSection(>)  82 

NtUserBuildNameList(>)  1 
NtReleaseSemaphore(>)  3 
NtRequestWaitReplyPort(>)  15 
NtFlushInstructionCache(>)  136 

NtUserCloseDesktop(>)  1 
NtTerminateProcess(>)  3 
NtQueryDebugFilterState(>)  17 
NtUserValidateHandleSecure(>)  144 

NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtSetInformationFile(>)  17 
NtUserQueryWindow(>)  178 

NtUserGetGUIThreadInfo(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQuerySection(>)  18 
NtAllocateVirtualMemory(>)  203 

NtUserGetObjectInformation(>)  1 
NtQueryKey(>)  4 
NtUnmapViewOfSection(>)  18 
NtProtectVirtualMemory(>)  278 

NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtDeviceIoControlFile(>)  19 
NtOpenKey(>)  311 

NtConnectPort(>)  2 
NtWriteFile(>)  4 
NtQueryDefaultLocale(>)  19 
NtQueryValueKey(>)  423 

NtCreateThread(>)  2 
NtWriteVirtualMemory(>)  4 
NtUserRegisterWindowMessage(>)  20 
NtClose(>)  466 

NtDuplicateToken(>)  2 
NtAccessCheck(>)  5 
NtWaitForSingleObject(>)  20 

Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147481368, {status=0x0, info=1}, ) }, 0, 32, ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147481368, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147481368, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147481368, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147481368, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147481368, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147481368, 0, 0x0, 0x0, 0x90120,  (-2147481368, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147481480, ) == 0x0
 00059   896   NtClose  (-2147481480, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482136, ) == 0x0
 00061   896   NtClose  (-2147482136, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147482748, ) == 0x0
 00063   896   NtClose  (-2147482748, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482748, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147481480, ... ) == 0x0
 00105   896   NtClose  (-2147482136, ... ) == 0x0
 00106   896   NtClose  (-2147482748, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147482748, ) == 0x0
 00145   896   NtClose  (-2147482748, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482748, ... -2147482136, ) == 0x0
 00147   896   NtClose  (-2147482136, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147481480, ) == 0x0
 00149   896   NtClose  (-2147481480, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147482748, ... ) == 0x0
 00178   896   NtClose  (-2147482136, ... ) == 0x0
 00179   896   NtClose  (-2147481480, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147481368, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 4, ... (0x500000), 233472, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 128, ... (0x500000), 233472, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 5242880, 233472, ... ) == 0x0
 00249   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 16, ) }, ... 16, ) == 0x0
 00250   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 00251   896   NtClose  (16, ... ) == 0x0
 00252   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00253   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00254   896   NtClose  (16, ... ) == 0x0
 00255   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00256   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00257   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00258   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00259   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00260   896   NtClose  (16, ... ) == 0x0
 00261   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00262   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00263   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00264   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00265   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00266   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00267   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00268   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00269   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00270   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00271   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00272   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00273   896   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00274   896   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00275   896   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00276   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00277   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00278   896   NtClose  (16, ... ) == 0x0
 00279   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00280   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00281   896   NtClose  (16, ... ) == 0x0
 00282   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00283   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00284   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00285   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00286   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00287   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00288   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00289   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00290   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00291   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00292   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00293   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00294   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00295   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00296   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00297   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00298   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00299   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00300   896   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00301   896   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00302   896   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00303   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 4, ... (0x500000), 233472, 64, ) == 0x0
 00304   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 64, ... (0x500000), 233472, 4, ) == 0x0
 00305   896   NtFlushInstructionCache  (-1, 5242880, 233472, ... ) == 0x0
 00306   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00308   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00310   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00311   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00312   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00313   896   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00315   896   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00316   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00318   896   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00319   896   NtClose  (36, ... ) == 0x0
 00320   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00321   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00322   896   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00323   896   NtClose  (36, ... ) == 0x0
 00324   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   896   NtClose  (32, ... ) == 0x0
 00326   896   NtClose  (16, ... ) == 0x0
 00327   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00328   896   NtClose  (28, ... ) == 0x0
 00329   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00330   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00331   896   NtClose  (28, ... ) == 0x0
 00332   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00333   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00334   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00335   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00336   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00337   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00338   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00341   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00342   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00343   896   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00344   896   NtClose  (28, ... ) == 0x0
 00345   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00346   896   NtClose  (16, ... ) == 0x0
 00347   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00348   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00349   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00350   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00351   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00352   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00353   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 4, ... (0x500000), 233472, 64, ) == 0x0
 00354   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 64, ... (0x500000), 233472, 4, ) == 0x0
 00355   896   NtFlushInstructionCache  (-1, 5242880, 233472, ... ) == 0x0
 00356   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 16, ) }, ... 16, ) == 0x0
 00357   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00358   896   NtClose  (16, ... ) == 0x0
 00359   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00360   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00361   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00362   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00363   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00364   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00365   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00366   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00367   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00368   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00369   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00370   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00371   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00372   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00373   896   NtClose  (16, ... ) == 0x0
 00374   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00375   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00376   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00377   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00378   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00379   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00380   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00381   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00382   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00383   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00384   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00385   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00386   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00387   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00388   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00389   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00390   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00391   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00392   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00393   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00394   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00395   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00396   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00397   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00398   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00399   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00400   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00401   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00402   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00403   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00404   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 4, ... (0x500000), 233472, 64, ) == 0x0
 00405   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 64, ... (0x500000), 233472, 4, ) == 0x0
 00406   896   NtFlushInstructionCache  (-1, 5242880, 233472, ... ) == 0x0
 00407   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 4, ... (0x500000), 233472, 64, ) == 0x0
 00408   896   NtProtectVirtualMemory  (-1, (0x500000), 233472, 64, ... (0x500000), 233472, 4, ) == 0x0
 00409   896   NtFlushInstructionCache  (-1, 5242880, 233472, ... ) == 0x0
 00410   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00411   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00412   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00413   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00414   896   NtClose  (16, ... ) == 0x0
 00415   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00416   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00417   896   NtClose  (16, ... ) == 0x0
 00418   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00420   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00421   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00422   896   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00423   896   NtClose  (16, ... ) == 0x0
 00424   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00425   896   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426   896   NtClose  (16, ... ) == 0x0
 00427   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00428   896   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00429   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00432   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00433   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242016, 2090320480, 1242052, 1242028}  (24, {28, 56, new_msg, 0, 1242016, 2090320480, 1242052, 1242028} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81834, 0}  (24, {28, 56, new_msg, 0, 1242016, 2090320480, 1242052, 1242028} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00434   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00435   896   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00436   896   NtClose  (28, ... ) == 0x0
 00437   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00438   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00439   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00440   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00441   896   NtClose  (28, ... ) == 0x0
 00442   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x540000), 0x0, 110592, ) == 0x0
 00443   896   NtClose  (32, ... ) == 0x0
 00444   896   NtUnmapViewOfSection  (-1, 0x540000, ... ) == 0x0
 00445   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00446   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00447   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00448   896   NtClose  (32, ... ) == 0x0
 00449   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x540000), 0x0, 110592, ) == 0x0
 00450   896   NtClose  (28, ... ) == 0x0
 00451   896   NtUnmapViewOfSection  (-1, 0x540000, ... ) == 0x0
 00452   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00453   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00454   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00455   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00456   896   NtClose  (28, ... ) == 0x0
 00457   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00458   896   NtClose  (32, ... ) == 0x0
 00459   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00460   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00461   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00462   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00463   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00464   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00465   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00466   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00467   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00468   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00469   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00470   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00471   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00472   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00473   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00474   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00478   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00479   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00481   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00483   896   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00484   896   NtClose  (32, ... ) == 0x0
 00485   896   NtMapViewOfSection  (-2147481368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x540000), 0x0, 1060864, ) == 0x0
 00486   896   NtClose  (-2147481368, ... ) == 0x0
 00487   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00488   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00489   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481368, ) == 0x0
 00490   896   NtQueryInformationToken  (-2147481368, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00491   896   NtQueryInformationToken  (-2147481368, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00492   896   NtClose  (-2147481368, ... ) == 0x0
 00493   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00494   896   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00495   896   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00496   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00497   896   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498   896   NtClose  (-2147481368, ... ) == 0x0
 00499   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00500   896   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501   896   NtClose  (-2147481368, ... ) == 0x0
 00502   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00503   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00504   896   NtUserCallNoParam  (24, ... ) == 0x0
 00505   896   NtGdiCreateCompatibleDC  (0, ...
 00506   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00505   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00507   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00508   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00509   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00510   896   NtGdiCreateSolidBrush  (0, 0, ...
 00511   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9764864, 4096, ) == 0x0
 00510   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00512   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00513   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00514   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00515   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x24
 00516   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00517   896   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00518   896   NtClose  (44, ... ) == 0x0
 00519   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00520   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8177c017
 00521   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00522   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8177c01c
 00523   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00524   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8177c01e
 00525   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00526   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81778002
 00527   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00528   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8177c018
 00529   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00530   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8177c01a
 00531   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00532   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8177c01d
 00533   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00534   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8177c026
 00535   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00536   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8177c019
 00537   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c020
 00538   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c022
 00539   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c023
 00540   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c024
 00541   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c025
 00542   896   NtCallbackReturn  (0, 0, 0, ...
 00543   896   NtGdiInit  (... ) == 0x1
 00544   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00545   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00546   896   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 44, ) == 0x0
 00547   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 48, ) == 0x0
 00548   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 52, ) }, ... 52, ) == 0x0
 00549   896   NtNotifyChangeKey  (52, 48, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 00550   896   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00551   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 56, ) == 0x0
 00552   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 60, ) == 0x0
 00553   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00554   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9830400, 65536, ) == 0x0
 00555   896   NtAllocateVirtualMemory  (-1, 9830400, 0, 4096, 4096, 4, ... 9830400, 4096, ) == 0x0
 00556   896   NtAllocateVirtualMemory  (-1, 9834496, 0, 8192, 4096, 4, ... 9834496, 8192, ) == 0x0
 00557   896   NtAllocateVirtualMemory  (-1, 9842688, 0, 4096, 4096, 4, ... 9842688, 4096, ) == 0x0
 00558   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 64, ) }, ... 64, ) == 0x0
 00559   896   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x970000), 0x0, 12288, ) == 0x0
 00560   896   NtClose  (64, ... ) == 0x0
 00561   896   NtAllocateVirtualMemory  (-1, 9846784, 0, 4096, 4096, 4, ... 9846784, 4096, ) == 0x0
 00562   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00563   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00564   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00565   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00566   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00567   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00568   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00569   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 64, {status=0x0, info=0}, ) }, 7, 16, ... 64, {status=0x0, info=0}, ) == 0x0
 00570   896   NtDeviceIoControlFile  (64, 0, 0x0, 0x0, 0x390008,  (64, 0, 0x0, 0x0, 0x390008, "p\312qX\226\263<\211\15\2202s\10\232\31\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00571   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00572   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00573   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00574   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00575   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00576   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00577   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00578   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 00579   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\203\303\37\314F\373\355\361\350I9J69\234+\301\12\325&\25W\30i\2037\317U\353F\350\365\0H\362\224;\140!k\277x}\1t\354,w\0\224\330\267^\215\320\5\234\337&\10?a\272{b"\317\327?\2445\275\327\205\242\-C\17", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\203\303\37\314F\373\355\361\350I9J69\234+\301\12\325&\25W\30i\2037\317U\353F\350\365\0H\362\224;\140!k\277x}\1t\354,w\0\224\330\267^\215\320\5\234\337&\10?a\272{b"\317\327?\2445\275\327\205\242\-C\17", 80, ... ) \317\327?\2445\275\327\205\242\-C\17", 80, ... ) == 0x0
 00580   896   NtClose  (-2147481368, ... ) == 0x0
 00570   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\20h\332\341t/!P\313\277\370\26\262\261\344\377\37D\225\330\257\343=E\314\232MZY\177\225\234\264\4\11m\330\324\257\257\367F\204\364\353`\276\321\315q\377Q\243\373\330\2203h\211 \340G\213\222\245CG\226 -\321\344\301\357\345F:\23'\201\10Y\246P\301\300\1\37\27\256t<\377\35\231\177\315\225}\36\26\232V^\35g\260D\3\367\315\214\342>^\363\325\202\232\366U\336\1m\213\2231\324*\347\211j6\0\2264\366(\355\252\301\227\21\225\227\345\340\254y( \346l\33/\234C\205<:\354\340\376\230\26u\216b\211p\325\203V\334-\217\312\303O)w\30d\16\344\336{\10V\310\216\237'a\346\324\266\356Q\310(\213\233\26\213c\370fTy\217|\257\356\203\221Nm\36\220=\275\356\222.R\273q\343/l/\10,\5fG\345~\235\354\247?\321\16\333O\203o=RN\215\322", ) , ) == 0x0
 00581   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00582   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00583   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00584   896   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00585   896   NtClose  (68, ... ) == 0x0
 00586   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 68, ) }, ... 68, ) == 0x0
 00587   896   NtQueryValueKey  (68,  (68, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   896   NtClose  (68, ... ) == 0x0
 00589   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00590   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00591   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00592   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00593   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00594   896   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   896   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596   896   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   896   NtClose  (68, ... ) == 0x0
 00598   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00599   896   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   896   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   896   NtClose  (68, ... ) == 0x0
 00602   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 68, ) }, ... 68, ) == 0x0
 00603   896   NtOpenEvent  (0x1f0003, {24, 68, 0x0, 0, 0,  (0x1f0003, {24, 68, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   896   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00605   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   896   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   896   NtTestAlert  (... ) == 0x0
 00609   896   NtContinue  (1244464, 1, ...
 00610   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x50022d,}, 4, ... ) == 0x0
 00611   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 9961472, 4096, ) == 0x0
 00612   896   NtAllocateVirtualMemory  (-1, 0, 0, 15980, 4096, 4, ... 10027008, 16384, ) == 0x0
 00613   896   NtFreeVirtualMemory  (-1, (0x990000), 0, 32768, ... (0x990000), 16384, ) == 0x0
 00614   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 4096, ) == 0x0
 00615   896   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 9961472, 196608, ) == 0x0
 00616   896   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 10158080, 196608, ) == 0x0
 00617   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 196608, ) == 0x0
 00618   896   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 9961472, 4096, ) == 0x0
 00619   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 4096, ) == 0x0
 00620   896   NtAllocateVirtualMemory  (-1, 0, 0, 148480, 4096, 4, ... 9961472, 151552, ) == 0x0
 00621   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 151552, ) == 0x0
 00622   896   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 9961472, 4096, ) == 0x0
 00623   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 4096, ) == 0x0
 00624   896   NtAllocateVirtualMemory  (-1, 0, 0, 3584, 4096, 4, ... 9961472, 4096, ) == 0x0
 00625   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 4096, ) == 0x0
 00626   896   NtAllocateVirtualMemory  (-1, 0, 0, 8704, 4096, 4, ... 9961472, 12288, ) == 0x0
 00627   896   NtFreeVirtualMemory  (-1, (0x980000), 0, 32768, ... (0x980000), 12288, ) == 0x0
 00628   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00629   896   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00630   896   NtClose  (72, ... ) == 0x0
 00631   896   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00632   896   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00633   896   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00634   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00637   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == 0x0
 00638   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00639   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 76, ) == 0x0
 00640   896   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00641   896   NtClose  (72, ... ) == 0x0
 00642   896   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00643   896   NtClose  (76, ... ) == 0x0
 00644   896   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00645   896   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00646   896   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00647   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648   896   NtQueryPerformanceCounter  (... {-1450256700, 16}, {3579545, 0}, ) == 0x0
 00649   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00650   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00651   896   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00652   896   NtClose  (76, ... ) == 0x0
 00653   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 76, ) }, ... 76, ) == 0x0
 00654   896   NtSetInformationObject  (76, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00655   896   NtOpenKey  (0xf003f, {24, 76, 0x40, 0, 0,  (0xf003f, {24, 76, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   896   NtOpenKey  (0xf003f, {24, 76, 0x40, 0, 0,  (0xf003f, {24, 76, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   896   NtOpenProcessToken  (-1, 0x8, ... 72, ) == 0x0
 00658   896   NtQueryInformationToken  (72, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00659   896   NtClose  (72, ... ) == 0x0
 00660   896   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00661   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00662   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 10354688, 1048576, ) == 0x0
 00663   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00664   896   NtAllocateVirtualMemory  (-1, 10354688, 0, 16384, 4096, 4, ... 10354688, 16384, ) == 0x0
 00665   896   NtUserCallNoParam  (29, ...
 00666   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 00667   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00668   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 72, ... 80, ) == 0x0
 00669   896   NtClose  (72, ... ) == 0x0
 00670   896   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xae0000), 0x0, 221184, ) == 0x0
 00671   896   NtClose  (80, ... ) == 0x0
 00672   896   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 00673   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242532, ... ) }, 1242532, ... ) == 0x0
 00674   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00675   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 72, ) == 0x0
 00676   896   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00677   896   NtClose  (80, ... ) == 0x0
 00678   896   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00679   896   NtClose  (72, ... ) == 0x0
 00680   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00681   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00682   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00683   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00684   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00685   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00686   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00687   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00688   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00689   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00690   896   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00691   896   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00692   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00694   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00695   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00696   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00697   896   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00698   896   NtClose  (72, ... ) == 0x0
 00699   896   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 72, ) }, ... 72, ) == 0x0
 00700   896   NtOpenKey  (0x1, {24, 72, 0x40, 0, 0,  (0x1, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 80, ) }, ... 80, ) == 0x0
 00701   896   NtQueryValueKey  (80,  (80, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00702   896   NtClose  (80, ... ) == 0x0
 00703   896   NtClose  (72, ... ) == 0x0
 00704   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00705   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00706   896   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00707   896   NtClose  (72, ... ) == 0x0
 00708   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 72, ) }, ... 72, ) == 0x0
 00709   896   NtOpenKey  (0x1, {24, 72, 0x40, 0, 0,  (0x1, {24, 72, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00710   896   NtQueryValueKey  (80,  (80, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   896   NtClose  (80, ... ) == 0x0
 00712   896   NtClose  (72, ... ) == 0x0
 00713   896   NtUserGetProcessWindowStation  (... ) == 0x1c
 00714   896   NtUserGetObjectInformation  (28, 2, 1244320, 64, 1244316, ... ) == 0x1
 00715   896   NtUserGetGUIThreadInfo  (896, 1244340, ... ) == 0x1
 00716   896   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 72, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 72, 0x0, 0x0, 0x0, 64, ) == 0x0
 00717   896   NtRequestWaitReplyPort  (72, {32, 56, new_msg, 0, 0, 0, 0, 0}  (72, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81836, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 896, 81836, 0}  (72, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81836, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00718   896   NtRequestWaitReplyPort  (72, {32, 56, new_msg, 0, 0, 0, 0, 0}  (72, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81837, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 896, 81837, 0}  (72, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81837, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00719   896   NtUserCallNoParam  (29, ...
 00720   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 00719   896   NtUserCallNoParam  ... ) == 0x0
 00721   896   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00722   896   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333248, ... ) == 0x640a0596
 00723   896   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333240, ... ) == 0x740a05de
 00724   896   NtRequestWaitReplyPort  (72, {32, 56, new_msg, 0, 0, 0, 0, 0}  (72, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81838, 0} "\0\0\0\0\0\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1252, 896, 81838, 0}  (72, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81838, 0} "\0\0\0\0\0\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00725   896   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xae0000), {0, 0}, 327680, ) == 0x0
 00726   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00727   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00728   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00729   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00730   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00731   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00732   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00733   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00734   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00735   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00736   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00737   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00738   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00739   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00740   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00741   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00742   896   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00743   896   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0xb91006e8
 00744   896   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00745   896   NtUserCallNoParam  (29, ...
 00746   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241020, ... ) }, 1241020, ... ) == 0x0
 00745   896   NtUserCallNoParam  ... ) == 0x0
 00747   896   NtUserCallNoParam  (29, ...
 00748   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00747   896   NtUserCallNoParam  ... ) == 0x0
 00665   896   NtUserCallNoParam  ... ) == 0x1
 00749   896   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 84, ) }, ... 84, ) == 0x0
 00750   896   NtQueryValueKey  (84,  (84, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00751   896   NtQueryValueKey  (84,  (84, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (84, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00752   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00753   896   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Protocol_Catalog9"}, ... 92, ) }, ... 92, ) == 0x0
 00754   896   NtQueryValueKey  (92,  (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00755   896   NtNotifyChangeKey  (92, 88, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00756   896   NtQueryValueKey  (92,  (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00757   896   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   896   NtQueryValueKey  (92,  (92, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00759   896   NtQueryValueKey  (92,  (92, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00760   896   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Catalog_Entries"}, ... 96, ) }, ... 96, ) == 0x0
 00761   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000001"}, ... 100, ) }, ... 100, ) == 0x0
 00762   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00763   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00764   896   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00765   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\376\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\376\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\377\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\376\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\376\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\377\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\376\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\376\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\377\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\0\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\1\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00766   896   NtClose  (100, ... ) == 0x0
 00767   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000002"}, ... 100, ) }, ... 100, ) == 0x0
 00768   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00769   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00770   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\3\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\4\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\3\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\4\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\3\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\4\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00771   896   NtClose  (100, ... ) == 0x0
 00772   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000003"}, ... 100, ) }, ... 100, ) == 0x0
 00773   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00774   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00775   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\10\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\10\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\11\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\10\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\10\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\11\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\10\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\10\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\11\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00776   896   NtClose  (100, ... ) == 0x0
 00777   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000004"}, ... 100, ) }, ... 100, ) == 0x0
 00778   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00779   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00780   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\15\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\15\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\16\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\15\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\15\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\16\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\15\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\15\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\16\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00781   896   NtClose  (100, ... ) == 0x0
 00782   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000005"}, ... 100, ) }, ... 100, ) == 0x0
 00783   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00784   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00785   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00786   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\23\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\23\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\24\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\23\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\23\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\24\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\23\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\23\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\24\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\25\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00787   896   NtClose  (100, ... ) == 0x0
 00788   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000006"}, ... 100, ) }, ... 100, ) == 0x0
 00789   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00790   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00791   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\30\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\30\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\31\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\30\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\30\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\31\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\30\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\30\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\31\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\32\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\33\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00792   896   NtClose  (100, ... ) == 0x0
 00793   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000007"}, ... 100, ) }, ... 100, ) == 0x0
 00794   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00795   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00796   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\35\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\36\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\35\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\36\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\35\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\36\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00797   896   NtClose  (100, ... ) == 0x0
 00798   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000008"}, ... 100, ) }, ... 100, ) == 0x0
 00799   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00800   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00801   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0"\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0#\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00802   896   NtClose  (100, ... ) == 0x0
 00803   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000009"}, ... 100, ) }, ... 100, ) == 0x0
 00804   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00805   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00806   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0'\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0'\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0(\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0'\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0'\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0(\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0'\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0'\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0(\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00807   896   NtClose  (100, ... ) == 0x0
 00808   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000010"}, ... 100, ) }, ... 100, ) == 0x0
 00809   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00810   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00811   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00812   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0-\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0.\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0-\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0.\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0-\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0.\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00813   896   NtClose  (100, ... ) == 0x0
 00814   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000011"}, ... 100, ) }, ... 100, ) == 0x0
 00815   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00816   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00817   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\02\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\02\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\03\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\02\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\02\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\03\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\02\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\02\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\03\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00818   896   NtClose  (100, ... ) == 0x0
 00819   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000012"}, ... 100, ) }, ... 100, ) == 0x0
 00820   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00821   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00822   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\07\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\07\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\08\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\07\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\07\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\08\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\07\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\07\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\08\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00823   896   NtClose  (100, ... ) == 0x0
 00824   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000013"}, ... 100, ) }, ... 100, ) == 0x0
 00825   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00826   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00827   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0<\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0<\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0=\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0<\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0<\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0=\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0<\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0<\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0=\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00828   896   NtClose  (100, ... ) == 0x0
 00829   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000014"}, ... 100, ) }, ... 100, ) == 0x0
 00830   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00831   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00832   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00833   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0B\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0B\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0C\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0B\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0B\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0C\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0B\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0B\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0C\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00834   896   NtClose  (100, ... ) == 0x0
 00835   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000015"}, ... 100, ) }, ... 100, ) == 0x0
 00836   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00837   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00838   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0G\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0G\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0H\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0G\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0G\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0H\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0G\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0G\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0H\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00839   896   NtClose  (100, ... ) == 0x0
 00840   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000016"}, ... 100, ) }, ... 100, ) == 0x0
 00841   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00842   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00843   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0L\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0L\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0M\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0L\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0L\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0M\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0L\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0L\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0M\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00844   896   NtClose  (100, ... ) == 0x0
 00845   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000017"}, ... 100, ) }, ... 100, ) == 0x0
 00846   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00847   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00848   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0Q\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0Q\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0R\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0Q\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0Q\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0R\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0Q\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0Q\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0R\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00849   896   NtClose  (100, ... ) == 0x0
 00850   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000018"}, ... 100, ) }, ... 100, ) == 0x0
 00851   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00852   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00853   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0V\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0V\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0W\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0V\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0V\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0W\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0V\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0V\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0W\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00854   896   NtClose  (100, ... ) == 0x0
 00855   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000019"}, ... 100, ) }, ... 100, ) == 0x0
 00856   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00857   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00858   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00859   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0]\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0]\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0]\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00860   896   NtClose  (100, ... ) == 0x0
 00861   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000020"}, ... 100, ) }, ... 100, ) == 0x0
 00862   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00863   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00864   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0a\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0a\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0b\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0a\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0a\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0b\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0a\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0a\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0b\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00865   896   NtClose  (100, ... ) == 0x0
 00866   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000021"}, ... 100, ) }, ... 100, ) == 0x0
 00867   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00868   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00869   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0f\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0f\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0g\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0f\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0f\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0g\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0f\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0f\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240s\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0g\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00870   896   NtClose  (100, ... ) == 0x0
 00871   896   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000022"}, ... 100, ) }, ... 100, ) == 0x0
 00872   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00873   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00874   896   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0k\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0k\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0l\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0m\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0n\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0n\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0o\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0ps\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0k\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0k\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0l\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0m\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0n\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0n\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0o\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0ps\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0k\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0k\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0l\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0m\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0n\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0n\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0o\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0ps\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00875   896   NtClose  (100, ... ) == 0x0
 00876   896   NtClose  (96, ... ) == 0x0
 00877   896   NtWaitForSingleObject  (88, 0, {0, 0}, ... ) == 0x102
 00878   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00879   896   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 100, ) }, ... 100, ) == 0x0
 00880   896   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00881   896   NtNotifyChangeKey  (100, 96, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00882   896   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00883   896   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   896   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00885   896   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00886   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00887   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00888   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00889   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00890   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00891   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00892   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00893   896   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00894   896   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   896   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00896   896   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00897   896   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00898   896   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00899   896   NtClose  (108, ... ) == 0x0
 00900   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00901   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00902   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00903   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00904   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00905   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00906   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00907   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00908   896   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00909   896   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   896   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00911   896   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00912   896   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00913   896   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00914   896   NtClose  (108, ... ) == 0x0
 00915   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00916   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00917   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00918   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00919   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00920   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00921   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00922   896   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00923   896   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   896   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00925   896   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00926   896   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00927   896   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00928   896   NtClose  (108, ... ) == 0x0
 00929   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 00930   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00931   896   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00932   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00933   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00934   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00935   896   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00936   896   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00937   896   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   896   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00939   896   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00940   896   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00941   896   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00942   896   NtClose  (108, ... ) == 0x0
 00943   896   NtClose  (104, ... ) == 0x0
 00944   896   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00945   896   NtClose  (84, ... ) == 0x0
 00946   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00947   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00948   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 84, ) }, ... 84, ) == 0x0
 00949   896   NtQueryValueKey  (84,  (84, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   896   NtClose  (84, ... ) == 0x0
 00951   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00952   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 32768, 4096, 4, ... 10371072, 32768, ) == 0x0
 00953   896   NtFreeVirtualMemory  (-1, (0x9e8000), 16384, 16384, ... (0x9e8000), 16384, ) == 0x0
 00954   896   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 9961472, 4096, ) == 0x0
 00955   896   NtAllocateVirtualMemory  (-1, 0, 0, 26, 4096, 64, ... 10027008, 4096, ) == 0x0
 00956   896   NtAllocateVirtualMemory  (-1, 0, 0, 263, 4096, 64, ... 10092544, 4096, ) == 0x0
 00957   896   NtAllocateVirtualMemory  (-1, 10387456, 0, 32768, 4096, 4, ... 10387456, 32768, ) == 0x0
 00958   896   NtFreeVirtualMemory  (-1, (0x9ec000), 16384, 16384, ... (0x9ec000), 16384, ) == 0x0
 00959   896   NtFreeVirtualMemory  (-1, (0x9e8000), 16384, 16384, ... (0x9e8000), 16384, ) == 0x0
 00960   896   NtAllocateVirtualMemory  (-1, 10387456, 0, 32768, 4096, 4, ... 10387456, 32768, ) == 0x0
 00961   896   NtFreeVirtualMemory  (-1, (0x9ec000), 16384, 16384, ... (0x9ec000), 16384, ) == 0x0
 00962   896   NtFreeVirtualMemory  (-1, (0x9e8000), 16384, 16384, ... (0x9e8000), 16384, ) == 0x0
 00963   896   NtFreeVirtualMemory  (-1, (0x9e4000), 16384, 16384, ... (0x9e4000), 16384, ) == 0x0
 00964   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 32768, 4096, 4, ... 10371072, 32768, ) == 0x0
 00965   896   NtFreeVirtualMemory  (-1, (0x9e8000), 16384, 16384, ... (0x9e8000), 16384, ) == 0x0
 00966   896   NtFreeVirtualMemory  (-1, (0x9e4000), 16384, 16384, ... (0x9e4000), 16384, ) == 0x0
 00967   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 163840, 4096, 4, ... 10371072, 163840, ) == 0x0
 00968   896   NtAllocateVirtualMemory  (-1, 10534912, 0, 32768, 4096, 4, ... 10534912, 32768, ) == 0x0
 00969   896   NtFreeVirtualMemory  (-1, (0xa10000), 16384, 16384, ... (0xa10000), 16384, ) == 0x0
 00970   896   NtFreeVirtualMemory  (-1, (0xa0c000), 16384, 16384, ... (0xa0c000), 16384, ) == 0x0
 00971   896   NtFreeVirtualMemory  (-1, (0x9e4000), 163840, 16384, ... (0x9e4000), 163840, ) == 0x0
 00972   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 16384, 4096, 4, ... 10371072, 16384, ) == 0x0
 00973   896   NtFreeVirtualMemory  (-1, (0x9e4000), 16384, 16384, ... (0x9e4000), 16384, ) == 0x0
 00974   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 114688, 4096, 4, ... 10371072, 114688, ) == 0x0
 00975   896   NtFreeVirtualMemory  (-1, (0x9e4000), 114688, 16384, ... (0x9e4000), 114688, ) == 0x0
 00976   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 32768, 4096, 4, ... 10371072, 32768, ) == 0x0
 00977   896   NtFreeVirtualMemory  (-1, (0x9e8000), 16384, 16384, ... (0x9e8000), 16384, ) == 0x0
 00978   896   NtFreeVirtualMemory  (-1, (0x9e4000), 16384, 16384, ... (0x9e4000), 16384, ) == 0x0
 00979   896   NtAllocateVirtualMemory  (-1, 10371072, 0, 32768, 4096, 4, ... 10371072, 32768, ) == 0x0
 00980   896   NtFreeVirtualMemory  (-1, (0x9e8000), 16384, 16384, ... (0x9e8000), 16384, ) == 0x0
 00981   896   NtAllocateVirtualMemory  (-1, 10387456, 0, 16384, 4096, 4, ... 10387456, 16384, ) == 0x0
 00982   896   NtAllocateVirtualMemory  (-1, 0, 0, 13730, 4096, 64, ... 11730944, 16384, ) == 0x0
 00983   896   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11796480, 4096, ) == 0x0
 00984   896   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11862016, 4096, ) == 0x0
 00985   896   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11927552, 4096, ) == 0x0
 00986   896   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11993088, 4096, ) == 0x0
 00987   896   NtAllocateVirtualMemory  (-1, 10403840, 0, 16384, 4096, 4, ... 10403840, 16384, ) == 0x0
 00988   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\Scsi0:"}, 0x0, 0, 3, 1, 96, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00989   896   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x4d008,  (104, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zB\377?\0\0\17\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0CD\17\0?\0S\373\354\0@\1\0\0\0\1\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 572, 572, ... {status=0x0, info=572},  (104, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zB\377?\0\0\17\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0CD\17\0?\0S\373\354\0@\1\0\0\0\1\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00990   896   NtClose  (104, ... ) == 0x0
 00991   896   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00992   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 00993   896   NtQueryInformationFile  (104, 1244036, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00994   896   NtQueryVolumeInformationFile  (104, 1366032, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00995   896   NtQueryVolumeInformationFile  (104, 1366328, 276, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00996   896   NtClose  (104, ... ) == 0x0
 00997   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 104, {status=0x0, info=1}, ) }, 3, 8388641, ... 104, {status=0x0, info=1}, ) == 0x0
 00998   896   NtQueryVolumeInformationFile  (104, 1244780, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00999   896   NtClose  (104, ... ) == 0x0
 01000   896   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01001   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 01002   896   NtQueryInformationFile  (104, 1244040, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 01003   896   NtQueryVolumeInformationFile  (104, 1366032, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 01004   896   NtQueryVolumeInformationFile  (104, 1366328, 276, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01005   896   NtClose  (104, ... ) == 0x0
 01006   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 104, {status=0x0, info=1}, ) }, 3, 8388641, ... 104, {status=0x0, info=1}, ) == 0x0
 01007   896   NtQueryVolumeInformationFile  (104, 1244784, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01008   896   NtClose  (104, ... ) == 0x0
 01009   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01010   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01011   896   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01012   896   NtClose  (104, ... ) == 0x0
 01013   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01014   896   NtSetInformationObject  (106, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01015   896   NtQueryKey  (106, Name, 382, ... {Name= (106, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01016   896   NtOpenKey  (0x2000000, {24, 106, 0x40, 0, 0,  (0x2000000, {24, 106, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 01018   896   NtCreateKey  (0x2, {24, 108, 0x40, 0, 0,  (0x2, {24, 108, 0x40, 0, 0, ".key"}, 0, 0x0, 0, ... 112, 2, ) }, 0, 0x0, 0, ... 112, 2, ) == 0x0
 01019   896   NtClose  (108, ... ) == 0x0
 01020   896   NtQueryKey  (114, Name, 392, ... {Name= (114, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 01021   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01022   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01023   896   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01024   896   NtClose  (108, ... ) == 0x0
 01025   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   896   NtSetValueKey  (114, 0x0, 0, 1,  (114, 0x0, 0, 1, "\0\0", 2, ... , 2, ...
 01027   896   NtSetInformationFile  (-2147482448, -135747792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01026   896   NtSetValueKey  ... ) == 0x0
 01028   896   NtClose  (114, ... ) == 0x0
 01029   896   NtQueryKey  (106, Name, 384, ... {Name= (106, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01030   896   NtOpenKey  (0x2, {24, 106, 0x40, 0, 0,  (0x2, {24, 106, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   896   NtOpenKey  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.key"}, ... 112, ) }, ... 112, ) == 0x0
 01032   896   NtQueryKey  (114, Name, 392, ... {Name= (114, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 01033   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01034   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01035   896   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01036   896   NtClose  (108, ... ) == 0x0
 01037   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038   896   NtSetValueKey  (114, " (114, "", 0, 1, "r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) == 0x0
 01039   896   NtClose  (114, ... ) == 0x0
 01040   896   NtAllocateVirtualMemory  (-1, 10420224, 0, 32768, 4096, 4, ... 10420224, 32768, ) == 0x0
 01041   896   NtFreeVirtualMemory  (-1, (0x9f4000), 16384, 16384, ... (0x9f4000), 16384, ) == 0x0
 01042   896   NtFreeVirtualMemory  (-1, (0x9f0000), 16384, 16384, ... (0x9f0000), 16384, ) == 0x0
 01043   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01044   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 12058624, 65536, ) == 0x0
 01045   896   NtAllocateVirtualMemory  (-1, 12058624, 0, 4096, 4096, 4, ... 12058624, 4096, ) == 0x0
 01046   896   NtAllocateVirtualMemory  (-1, 12062720, 0, 20480, 4096, 4, ... 12062720, 20480, ) == 0x0
 01047   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12124160, 1048576, ) == 0x0
 01048   896   NtAllocateVirtualMemory  (-1, 12124160, 0, 32768, 4096, 4, ... 12124160, 32768, ) == 0x0
 01049   896   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 13172736, 4096, ) == 0x0
 01050   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13238272, 4096, ) == 0x0
 01051   896   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 13303808, 4096, ) == 0x0
 01052   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13369344, 4096, ) == 0x0
 01053   896   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 13434880, 4096, ) == 0x0
 01054   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13500416, 4096, ) == 0x0
 01055   896   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 13565952, 4096, ) == 0x0
 01056   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13631488, 4096, ) == 0x0
 01057   896   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 13697024, 4096, ) == 0x0
 01058   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13762560, 4096, ) == 0x0
 01059   896   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 13828096, 4096, ) == 0x0
 01060   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13893632, 4096, ) == 0x0
 01061   896   NtAllocateVirtualMemory  (-1, 0, 0, 25, 4096, 64, ... 13959168, 4096, ) == 0x0
 01062   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14024704, 4096, ) == 0x0
 01063   896   NtAllocateVirtualMemory  (-1, 0, 0, 25, 4096, 64, ... 14090240, 4096, ) == 0x0
 01064   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14155776, 4096, ) == 0x0
 01065   896   NtAllocateVirtualMemory  (-1, 0, 0, 55, 4096, 64, ... 14221312, 4096, ) == 0x0
 01066   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14286848, 4096, ) == 0x0
 01067   896   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 14352384, 4096, ) == 0x0
 01068   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14417920, 4096, ) == 0x0
 01069   896   NtQueryVirtualMemory  (-1, 0x42456c, Basic, 28, ... {BaseAddress=0x424000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xdd000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01070   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01071   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01072   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01073   896   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 14483456, 4096, ) == 0x0
 01074   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14548992, 4096, ) == 0x0
 01075   896   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 14614528, 4096, ) == 0x0
 01076   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14680064, 4096, ) == 0x0
 01077   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01078   896   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 01079   896   NtClose  (112, ... ) == 0x0
 01080   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01081   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01082   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01083   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01084   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01085   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01086   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01087   896   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01088   896   NtClose  (112, ... ) == 0x0
 01089   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01090   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01091   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01092   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01093   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01094   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01095   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01096   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01097   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01098   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01099   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01100   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01101   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01102   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01103   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01104   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01105   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01106   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01107   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01108   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01109   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01110   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01111   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01112   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01113   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01114   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01115   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01116   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01117   896   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xe10000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 01118   896   NtProtectVirtualMemory  (-1, (0xe11000), 18944, 4, ... (0xe11000), 20480, 32, ) == 0x0
 01119   896   NtProtectVirtualMemory  (-1, (0xe17000), 1024, 4, ... (0xe17000), 4096, 2, ) == 0x0
 01120   896   NtProtectVirtualMemory  (-1, (0xe18000), 1536, 4, ... (0xe18000), 4096, 2, ) == 0x0
 01121   896   NtMapViewOfSection  (112, -1, (0xe10000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01122   896   NtProtectVirtualMemory  (-1, (0xe11000), 18944, 16, ... (0xe11000), 20480, 4, ) == 0x0
 01123   896   NtProtectVirtualMemory  (-1, (0xe17000), 1024, 2, ... (0xe17000), 4096, 8, ) == 0x0
 01124   896   NtProtectVirtualMemory  (-1, (0xe18000), 1536, 2, ... (0xe18000), 4096, 8, ) == 0x0
 01125   896   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01126   896   NtClose  (112, ... ) == 0x0
 01127   896   NtProtectVirtualMemory  (-1, (0xe11000), 160, 4, ... (0xe11000), 4096, 16, ) == 0x0
 01128   896   NtProtectVirtualMemory  (-1, (0xe11000), 4096, 16, ... (0xe11000), 4096, 4, ) == 0x0
 01129   896   NtFlushInstructionCache  (-1, 14749696, 160, ... ) == 0x0
 01130   896   NtProtectVirtualMemory  (-1, (0xe11000), 160, 4, ... (0xe11000), 4096, 16, ) == 0x0
 01131   896   NtProtectVirtualMemory  (-1, (0xe11000), 4096, 16, ... (0xe11000), 4096, 4, ) == 0x0
 01132   896   NtFlushInstructionCache  (-1, 14749696, 160, ... ) == 0x0
 01133   896   NtProtectVirtualMemory  (-1, (0xe11000), 160, 4, ... (0xe11000), 4096, 16, ) == 0x0
 01134   896   NtProtectVirtualMemory  (-1, (0xe11000), 4096, 16, ... (0xe11000), 4096, 4, ) == 0x0
 01135   896   NtFlushInstructionCache  (-1, 14749696, 160, ... ) == 0x0
 01136   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01137   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01138   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01139   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 112, ) }, ... 112, ) == 0x0
 01140   896   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 01141   896   NtClose  (112, ... ) == 0x0
 01142   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01143   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01144   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01145   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01146   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01147   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01148   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01149   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01150   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01151   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01152   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01153   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01154   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01155   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01156   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01157   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01158   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01159   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01160   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01161   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01162   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01163   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   896   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   896   NtCreateSemaphore  (0x1f0003, {24, 68, 0x80, 1367696, 0,  (0x1f0003, {24, 68, 0x80, 1367696, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 112, ) }, 0, 2147483647, ... 112, ) == STATUS_OBJECT_NAME_EXISTS
 01166   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   896   NtQueryPerformanceCounter  (... {-1449501080, 16}, {3579545, 0}, ) == 0x0
 01169   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininet.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   896   NtQueryPerformanceCounter  (... {-1449500528, 16}, {3579545, 0}, ) == 0x0
 01171   896   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01172   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01173   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14811136, 1048576, ) == 0x0
 01174   896   NtAllocateVirtualMemory  (-1, 14811136, 0, 4096, 4096, 4, ... 14811136, 4096, ) == 0x0
 01175   896   NtAllocateVirtualMemory  (-1, 14815232, 0, 8192, 4096, 4, ... 14815232, 8192, ) == 0x0
 01176   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01177   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239768,  (0xc0100080, {24, 0, 0x40, 0, 1239768, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) == 0x0
 01178   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01179   896   NtDeviceIoControlFile  (116, 120, 0x0, 0x12eb38, 0x22414c,  (116, 120, 0x0, 0x12eb38, 0x22414c, "\200\353\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01180   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01181   896   NtQueryValueKey  (-2147481368,  (-2147481368, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   896   NtQueryValueKey  (-2147481368,  (-2147481368, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   896   NtClose  (-2147481368, ... ) == 0x0
 01184   896   NtClose  (2280, ... ) == 0x0
 01179   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "h\340I\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#Seed\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01185   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239984,  (0xc0100080, {24, 0, 0x40, 0, 1239984, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 128, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 128, {status=0x0, info=0}, ) == 0x0
 01186   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01187   896   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 136, ) == 0x0
 01188   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 01189   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01190   896   NtAllocateVirtualMemory  (-1, 14823424, 0, 8192, 4096, 4, ... 14823424, 8192, ) == 0x0
 01191   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15859712, 1048576, ) == 0x0
 01192   896   NtAllocateVirtualMemory  (-1, 16900096, 0, 8192, 4096, 4, ... 16900096, 8192, ) == 0x0
 01193   896   NtProtectVirtualMemory  (-1, (0x101e000), 4096, 260, ... (0x101e000), 4096, 4, ) == 0x0
 01194   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1239068, 1239012, 1, ... 148, {1252, 2016}, ) == 0x0
 01195   896   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1252,Tid=2016,}, 0x0, ) == 0x0
 01196   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 14811512}  (24, {28, 56, new_msg, 0, 0, 0, 0, 14811512} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\224\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\224\0\0\0\344\4\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81841, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 14811512} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\224\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\224\0\0\0\344\4\0\0\340\7\0\0" )  ) == 0x0
 01197   896   NtResumeThread  (148, ... 1, ) == 0x0
 01198   896   NtClose  (148, ...
 01199  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 152, ) == 0x0
 01200  2016   NtWaitForSingleObject  (152, 0, 0x0, ...
 01198   896   NtClose  ... ) == 0x0
 01201   896   NtSetEvent  (132, ... 0x0, ) == 0x0
 01202   896   NtSetEvent  (108, ... 0x0, ) == 0x0
 01203   896   NtClose  (108, ... ) == 0x0
 01204   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01205   896   NtAllocateVirtualMemory  (-1, 14831616, 0, 4096, 4096, 4, ... 14831616, 4096, ) == 0x0
 01206   896   NtDeviceIoControlFile  (116, 120, 0x0, 0x12eb38, 0x22414c,  (116, 120, 0x0, 0x12eb38, 0x22414c, "\200\353\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01207   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01208   896   NtQueryValueKey  (-2147481368,  (-2147481368, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   896   NtQueryValueKey  (-2147481368,  (-2147481368, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   896   NtClose  (-2147481368, ... ) == 0x0
 01211   896   NtClose  (2280, ... ) == 0x0
 01206   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, " \350R\342\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344j\0e\0c\0t\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01212   896   NtSetEvent  (132, ... 0x0, ) == 0x0
 01213   896   NtSetEvent  (108, ... 0x0, ) == 0x0
 01214   896   NtClose  (108, ... ) == 0x0
 01215   896   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01216   896   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 01217   896   NtDuplicateToken  (108, 0xc, {24, 0, 0x0, 0, 1240252, 0x0}, 0, 2, ... 156, ) == 0x0
 01218   896   NtClose  (108, ... ) == 0x0
 01219   896   NtAccessCheck  (1373520, 156, 0x1, 1240328, 1240380, 56, 1240360, ... (0x1), ) == 0x0
 01220   896   NtClose  (156, ... ) == 0x0
 01221   896   NtQueryDefaultUILanguage  (1239132, ...
 01222   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01223   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 01224   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01225   896   NtClose  (-2147481368, ... ) == 0x0
 01226   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01227   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01229   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   896   NtClose  (-2147481452, ... ) == 0x0
 01231   896   NtClose  (-2147481368, ... ) == 0x0
 01221   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01232   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   896   NtQueryDefaultUILanguage  (2090319928, ...
 01234   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01235   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 01236   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01237   896   NtClose  (-2147481368, ... ) == 0x0
 01238   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01239   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01241   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   896   NtClose  (-2147481452, ... ) == 0x0
 01243   896   NtClose  (-2147481368, ... ) == 0x0
 01233   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01244   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 01245   896   NtQueryDefaultLocale  (1, 1237228, ... ) == 0x0
 01246   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238264, 1179817, 1237988}  (24, {128, 156, new_msg, 0, 2088850039, 1238264, 1179817, 1237988} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81842, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\350\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81842, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238264, 1179817, 1237988} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81842, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\354\350\22\0\0\0\0\0" )  ) == 0x0
 01248   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01249   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01251   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01252   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236456, ... ) }, 1236456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01254   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01255   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01256   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1236520, ... ) }, 1236520, ... ) == 0x0
 01257   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 156, {status=0x0, info=1}, ) }, 3, 33, ... 156, {status=0x0, info=1}, ) == 0x0
 01258   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01259   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01260   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 160, ) == 0x0
 01261   896   NtClose  (108, ... ) == 0x0
 01262   896   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1030000), 0x0, 1056768, ) == 0x0
 01263   896   NtClose  (160, ... ) == 0x0
 01264   896   NtUnmapViewOfSection  (-1, 0x1030000, ... ) == 0x0
 01265   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01266   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 108, ) == 0x0
 01267   896   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01268   896   NtClose  (160, ... ) == 0x0
 01269   896   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01270   896   NtClose  (108, ... ) == 0x0
 01271   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01272   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01273   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01274   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01275   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01276   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01277   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01278   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01279   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01280   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01281   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01282   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01283   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01284   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01285   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01286   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01287   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01288   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01289   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01290   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01291   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01292   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   896   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238000, ... ) , 42, 1238000, ... ) == 0x0
 01294   896   NtQueryDefaultUILanguage  (1236684, ...
 01295   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 01297   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   896   NtClose  (-2147481368, ... ) == 0x0
 01299   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01300   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01302   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   896   NtClose  (-2147481452, ... ) == 0x0
 01304   896   NtClose  (-2147481368, ... ) == 0x0
 01294   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01305   896   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01306   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235524, ... ) }, 1235524, ... ) == 0x0
 01307   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01308   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 160, ) == 0x0
 01309   896   NtClose  (108, ... ) == 0x0
 01310   896   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1030000), 0x0, 4096, ) == 0x0
 01311   896   NtClose  (160, ... ) == 0x0
 01312   896   NtUnmapViewOfSection  (-1, 0x1030000, ... ) == 0x0
 01313   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235120, ... ) }, 1235120, ... ) == 0x0
 01314   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235864,  (0x80100080, {24, 0, 0x40, 0, 1235864, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01315   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 160, ... 108, ) == 0x0
 01316   896   NtClose  (160, ... ) == 0x0
 01317   896   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1030000), {0, 0}, 4096, ) == 0x0
 01318   896   NtClose  (108, ... ) == 0x0
 01319   896   NtUnmapViewOfSection  (-1, 0x1030000, ... ) == 0x0
 01320   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01321   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 160, ) == 0x0
 01322   896   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1030000), 0x0, 4096, ) == 0x0
 01323   896   NtQueryInformationFile  (108, 1235516, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01324   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1235816, 1179817, 1235540}  (24, {128, 156, new_msg, 0, 2088850039, 1235816, 1179817, 1235540} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1l\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81843, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1l\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81843, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1235816, 1179817, 1235540} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1l\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81843, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1l\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" )  ) == 0x0
 01326   896   NtClose  (108, ... ) == 0x0
 01327   896   NtClose  (160, ... ) == 0x0
 01328   896   NtUnmapViewOfSection  (-1, 0x1030000, ... ) == 0x0
 01329   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01330   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01331   896   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01332   896   NtUserGetDC  (0, ... ) == 0x1010052
 01333   896   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01334   896   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 01335   896   NtUserSystemParametersInfo  (66, 12, 1237516, 0, ... ) == 0x1
 01336   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01337   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01338   896   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01339   896   NtClose  (160, ... ) == 0x0
 01340   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01341   896   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 01342   896   NtAccessCheck  (1373520, 108, 0x1, 1237348, 1237400, 56, 1237380, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01343   896   NtClose  (108, ... ) == 0x0
 01344   896   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 01345   896   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   896   NtClose  (108, ... ) == 0x0
 01347   896   NtUserSystemParametersInfo  (41, 500, 1237544, 0, ... ) == 0x1
 01348   896   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 01349   896   NtAccessCheck  (1373520, 108, 0x1, 1237348, 1237400, 56, 1237380, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01350   896   NtClose  (108, ... ) == 0x0
 01351   896   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 108, ) }, ... 108, ) == 0x0
 01352   896   NtQueryValueKey  (108,  (108, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   896   NtClose  (108, ... ) == 0x0
 01354   896   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01355   896   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01356   896   NtClose  (160, ... ) == 0x0
 01357   896   NtUserSystemParametersInfo  (4130, 0, 1238048, 0, ... ) == 0x1
 01358   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 160, ) }, ... 160, ) == 0x0
 01359   896   NtEnumerateValueKey  (160, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01360   896   NtClose  (160, ... ) == 0x0
 01361   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01362   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c03b
 01363   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c03d
 01364   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01365   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c03f
 01366   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01367   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c041
 01368   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01369   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c043
 01370   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c045
 01371   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01372   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c047
 01373   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01374   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c049
 01375   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01376   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c04b
 01377   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01378   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c04d
 01379   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01380   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c04f
 01381   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c051
 01382   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01383   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c053
 01384   896   NtUserFindExistingCursorIcon  (1237292, 1237308, 1237356, ... ) == 0x10011
 01385   896   NtUserRegisterClassExWOW  (1237236, 1237304, 1237320, 1237336, 0, 384, 0, ... ) == 0x8177c055
 01386   896   NtUserFindExistingCursorIcon  (1237292, 1237308, 1237356, ... ) == 0x10011
 01387   896   NtUserRegisterClassExWOW  (1237236, 1237304, 1237320, 1237336, 0, 384, 0, ... ) == 0x8177c057
 01388   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01389   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c059
 01390   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10013
 01391   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c05b
 01392   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01393   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c05d
 01394   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01395   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c05f
 01396   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01397   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c017
 01398   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01399   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c019
 01400   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10013
 01401   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c018
 01402   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01403   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c01a
 01404   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01405   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c01c
 01406   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01407   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c01e
 01408   896   NtUserFindExistingCursorIcon  (1237288, 1237304, 1237352, ... ) == 0x10011
 01409   896   NtUserRegisterClassExWOW  (1237288, 1237356, 1237372, 1237388, 0, 384, 0, ... ) == 0x8177c01b
 01410   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01411   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c068
 01412   896   NtUserFindExistingCursorIcon  (1237296, 1237312, 1237360, ... ) == 0x10011
 01413   896   NtUserRegisterClassExWOW  (1237240, 1237308, 1237324, 1237340, 0, 384, 0, ... ) == 0x8177c06a
 01414   896   NtCreateKey  (0x2001f, {24, 76, 0x40, 0, 0,  (0x2001f, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 160, 2, ) }, 0, 0x0, 0, ... 160, 2, ) == 0x0
 01415   896   NtSetEventBoostPriority  (152, ...
 01200  2016   NtWaitForSingleObject  ... ) == 0x0
 01416  2016   NtTestAlert  (... ) == 0x0
 01417  2016   NtContinue  (16907568, 1, ...
 01418  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01419  2016   NtDeviceIoControlFile  (128, 140, 0x0, 0x77e466a0, 0x228144,  (128, 140, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0\210\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0|\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01415   896   NtSetEventBoostPriority  ... ) == 0x0
 01420  2016   NtWaitForMultipleObjects  (2, (132, 140, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 01421  2016   NtDeviceIoControlFile  (128, 144, 0x0, 0x77e46680, 0x228144,  (128, 144, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0\210\0\0\0\0\0\0\0\224\0\0\0\0\0\0\0|\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01422  2016   NtWaitForMultipleObjects  (2, (132, 144, ), 1, 1, {1294967296, -1}, ...
 01423   896   NtQueryValueKey  (160,  (160, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   896   NtQueryValueKey  (160,  (160, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01425   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies"}, ... 108, ) }, ... 108, ) == 0x0
 01426   896   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Software\Policies"}, ... 164, ) }, ... 164, ) == 0x0
 01427   896   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Software"}, ... 168, ) }, ... 168, ) == 0x0
 01428   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software"}, ... 172, ) }, ... 172, ) == 0x0
 01429   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 176, ) }, ... 176, ) == 0x0
 01433   896   NtQueryValueKey  (176,  (176, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01434   896   NtClose  (176, ... ) == 0x0
 01435   896   NtQueryValueKey  (160,  (160, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   896   NtQueryValueKey  (160,  (160, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   896   NtQueryValueKey  (160,  (160, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   896   NtQueryValueKey  (160,  (160, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   896   NtQueryValueKey  (160,  (160, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01440   896   NtQueryValueKey  (160,  (160, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   896   NtQueryValueKey  (160,  (160, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01442   896   NtQueryValueKey  (160,  (160, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   896   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   896   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 176, ) }, ... 176, ) == 0x0
 01447   896   NtQueryValueKey  (176,  (176, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   896   NtClose  (176, ... ) == 0x0
 01449   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239772, ... ) }, 1239772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 1239772, ... ) }, 1239772, ... ) == 0x0
 01452   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01453   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 180, ) == 0x0
 01454   896   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01455   896   NtClose  (176, ... ) == 0x0
 01456   896   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 01457   896   NtClose  (180, ... ) == 0x0
 01458   896   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 01459   896   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 01460   896   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 01461   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 180, ) == 0x0
 01463   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 176, ) == 0x0
 01464   896   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 184, ) }, ... 184, ) == 0x0
 01465   896   NtQueryEvent  (184, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01466   896   NtClose  (184, ... ) == 0x0
 01467   896   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241344, 140, ... 184, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241344, 140, ... 184, 0x0, 0x0, 256, 140, ) == 0x0
 01468   896   NtRequestWaitReplyPort  (184, {28, 52, new_msg, 0, 0, 0, 0, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\220\36\24\0" ... {188, 212, reply, 0, 1252, 896, 81845, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 1252, 896, 81845, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\220\36\24\0" ... {188, 212, reply, 0, 1252, 896, 81845, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 01469   896   NtQueryValueKey  (160,  (160, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   896   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01471   896   NtQueryValueKey  (188,  (188, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   896   NtClose  (188, ... ) == 0x0
 01473   896   NtOpenKey  (0xf, {24, 16, 0x40, 0, 0,  (0xf, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01474   896   NtOpenKey  (0xf, {24, 76, 0x40, 0, 0,  (0xf, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 192, ) }, ... 192, ) == 0x0
 01475   896   NtOpenKey  (0x9, {24, 76, 0x40, 0, 0,  (0x9, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 196, ) }, ... 196, ) == 0x0
 01476   896   NtQueryValueKey  (196,  (196, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01477   896   NtQueryValueKey  (196,  (196, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01478   896   NtClose  (196, ... ) == 0x0
 01479   896   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "Content"}, ... 196, ) }, ... 196, ) == 0x0
 01480   896   NtQueryValueKey  (196,  (196, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   896   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "Content"}, ... 200, ) }, ... 200, ) == 0x0
 01482   896   NtQueryValueKey  (200,  (200, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01483   896   NtClose  (200, ... ) == 0x0
 01484   896   NtClose  (196, ... ) == 0x0
 01485   896   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "Content"}, ... 196, ) }, ... 196, ) == 0x0
 01486   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 200, ) }, ... 200, ) == 0x0
 01487   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01488   896   NtClose  (200, ... ) == 0x0
 01489   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01490   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01491   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01492   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01493   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01494   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01495   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01496   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01497   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01498   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01499   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01500   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01501   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01502   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01503   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01504   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01505   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01506   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01507   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01508   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01509   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01510   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01511   896   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01512   896   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01513   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 200, ) }, ... 200, ) == 0x0
 01515   896   NtQueryValueKey  (200,  (200, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01516   896   NtClose  (200, ... ) == 0x0
 01517   896   NtQueryDefaultUILanguage  (1236368, ...
 01518   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01519   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 01520   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01521   896   NtClose  (-2147481368, ... ) == 0x0
 01522   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01523   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01525   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   896   NtClose  (-2147481452, ... ) == 0x0
 01527   896   NtClose  (-2147481368, ... ) == 0x0
 01517   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01528   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 200, {status=0x0, info=1}, ) }, 1, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01529   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 200, ... 204, ) == 0x0
 01530   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1050000), 0x0, 8462336, ) == 0x0
 01531   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   896   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01533   896   NtQueryDefaultLocale  (1, 1234464, ... ) == 0x0
 01534   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1235500, 1179817, 1235224}  (24, {128, 156, new_msg, 0, 2088850039, 1235500, 1179817, 1235224} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0@ (\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0 \336\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81846, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0@ (\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0 \336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81846, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1235500, 1179817, 1235224} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0@ (\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0 \336\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81846, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0@ (\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0 \336\22\0\0\0\0\0" )  ) == 0x0
 01536   896   NtClose  (200, ... ) == 0x0
 01537   896   NtClose  (204, ... ) == 0x0
 01538   896   NtUnmapViewOfSection  (-1, 0x1050000, ... ) == 0x0
 01539   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01540   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01542   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01543   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233656, ... ) }, 1233656, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01545   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01546   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01547   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1233720, ... ) }, 1233720, ... ) == 0x0
 01548   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 204, {status=0x0, info=1}, ) }, 3, 33, ... 204, {status=0x0, info=1}, ) == 0x0
 01549   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01550   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 200, ) }, ... 200, ) == 0x0
 01551   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01552   896   NtClose  (200, ... ) == 0x0
 01553   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01554   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01555   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01556   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01557   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01558   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01559   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01560   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01561   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01562   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01563   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01564   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01565   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01566   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01567   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01568   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01570   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 01571   896   NtAllocateVirtualMemory  (-1, 17104896, 0, 4096, 4096, 4, ... 17104896, 4096, ) == 0x0
 01572   896   NtAllocateVirtualMemory  (-1, 17108992, 0, 8192, 4096, 4, ... 17108992, 8192, ) == 0x0
 01573   896   NtAllocateVirtualMemory  (-1, 17117184, 0, 4096, 4096, 4, ... 17117184, 4096, ) == 0x0
 01574   896   NtAllocateVirtualMemory  (-1, 17121280, 0, 4096, 4096, 4, ... 17121280, 4096, ) == 0x0
 01575   896   NtQueryDefaultUILanguage  (1234496, ...
 01576   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01577   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 01578   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01579   896   NtClose  (-2147481368, ... ) == 0x0
 01580   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 01581   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01583   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   896   NtClose  (-2147481452, ... ) == 0x0
 01585   896   NtClose  (-2147481368, ... ) == 0x0
 01575   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01586   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 200, {status=0x0, info=1}, ) }, 1, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01587   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 200, ... 208, ) == 0x0
 01588   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1060000), 0x0, 618496, ) == 0x0
 01589   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   896   NtQueryDefaultLocale  (1, 1232592, ... ) == 0x0
 01591   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1233628, 1179817, 1233352}  (24, {128, 156, new_msg, 0, 2088850039, 1233628, 1179817, 1233352} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0\340q\15\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\320\326\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81847, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0\340q\15\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\320\326\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81847, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1233628, 1179817, 1233352} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0\340q\15\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\320\326\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81847, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\310\0\0\0\377\377\377\377\0\0\0\0\340q\15\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0\320\326\22\0\0\0\0\0" )  ) == 0x0
 01593   896   NtClose  (200, ... ) == 0x0
 01594   896   NtClose  (208, ... ) == 0x0
 01595   896   NtUnmapViewOfSection  (-1, 0x1060000, ... ) == 0x0
 01596   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01597   896   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01598   896   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 208, ) == 0x0
 01599   896   NtQueryInformationProcess  (208, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01600   896   NtClose  (208, ... ) == 0x0
 01601   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01602   896   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01603   896   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01604   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01605   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01606   896   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01607   896   NtClose  (208, ... ) == 0x0
 01608   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 208, ) }, ... 208, ) == 0x0
 01609   896   NtOpenProcessToken  (-1, 0x8, ... 200, ) == 0x0
 01610   896   NtAccessCheck  (1373520, 200, 0x1, 1235688, 1235740, 56, 1235720, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01611   896   NtClose  (200, ... ) == 0x0
 01612   896   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "Control Panel\Desktop"}, ... 200, ) }, ... 200, ) == 0x0
 01613   896   NtQueryValueKey  (200,  (200, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   896   NtClose  (200, ... ) == 0x0
 01615   896   NtUserSystemParametersInfo  (41, 500, 1235868, 0, ... ) == 0x1
 01616   896   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01617   896   NtClose  (208, ... ) == 0x0
 01618   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01619   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c03b
 01620   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c03d
 01621   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01622   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c03f
 01623   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01624   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c041
 01625   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01626   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c043
 01627   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c045
 01628   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01629   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c047
 01630   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01631   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c049
 01632   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01633   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c04b
 01634   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01635   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c04d
 01636   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01637   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c04f
 01638   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c051
 01639   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01640   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c053
 01641   896   NtUserFindExistingCursorIcon  (1235616, 1235632, 1235680, ... ) == 0x10011
 01642   896   NtUserRegisterClassExWOW  (1235560, 1235628, 1235644, 1235660, 0, 384, 0, ... ) == 0x8177c055
 01643   896   NtUserFindExistingCursorIcon  (1235616, 1235632, 1235680, ... ) == 0x10011
 01644   896   NtUserRegisterClassExWOW  (1235560, 1235628, 1235644, 1235660, 0, 384, 0, ... ) == 0x8177c057
 01645   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01646   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c059
 01647   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10013
 01648   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c05b
 01649   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01650   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c05d
 01651   896   NtUserFindExistingCursorIcon  (1235620, 1235636, 1235684, ... ) == 0x10011
 01652   896   NtUserRegisterClassExWOW  (1235564, 1235632, 1235648, 1235664, 0, 384, 0, ... ) == 0x8177c05f
 01653   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01654   896   NtCreateSemaphore  (0x1f0003, {24, 68, 0x80, 1367696, 0,  (0x1f0003, {24, 68, 0x80, 1367696, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 208, ) }, 0, 2147483647, ... 208, ) == STATUS_OBJECT_NAME_EXISTS
 01655   896   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 01656   896   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 01657   896   NtCreateKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01658   896   NtQueryValueKey  (200,  (200, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (200, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01659   896   NtClose  (200, ... ) == 0x0
 01660   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1239440, ... ) }, 1239440, ... ) == 0x0
 01661   896   NtCreateKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01662   896   NtSetValueKey  (200,  (200, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (200, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 01663   896   NtClose  (200, ... ) == 0x0
 01664   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1240132, ... ) }, 1240132, ... ) == 0x0
 01665   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1239340, ... ) }, 1239340, ... ) == 0x0
 01666   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 200, {status=0x0, info=1}, ) }, 7, 2113568, ... 200, {status=0x0, info=1}, ) == 0x0
 01667   896   NtSetInformationFile  (200, 1239312, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01668   896   NtClose  (200, ... ) == 0x0
 01669   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 1239336, ... ) }, 1239336, ... ) == 0x0
 01670   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1240132, ... ) }, 1240132, ... ) == 0x0
 01671   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1239340, ... ) }, 1239340, ... ) == 0x0
 01672   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 200, {status=0x0, info=1}, ) }, 7, 2113568, ... 200, {status=0x0, info=1}, ) == 0x0
 01673   896   NtSetInformationFile  (200, 1239312, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01674   896   NtClose  (200, ... ) == 0x0
 01675   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1239336, ... ) }, 1239336, ... ) == 0x0
 01676   896   NtQueryValueKey  (196,  (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01677   896   NtQueryValueKey  (196,  (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01678   896   NtQueryValueKey  (196,  (196, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 01679   896   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "Cookies"}, ... 200, ) }, ... 200, ) == 0x0
 01680   896   NtQueryValueKey  (200,  (200, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   896   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "Cookies"}, ... 212, ) }, ... 212, ) == 0x0
 01682   896   NtQueryValueKey  (212,  (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01683   896   NtClose  (212, ... ) == 0x0
 01684   896   NtClose  (200, ... ) == 0x0
 01685   896   NtClose  (196, ... ) == 0x0
 01686   896   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "Cookies"}, ... 196, ) }, ... 196, ) == 0x0
 01687   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01688   896   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 01689   896   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 01690   896   NtCreateKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01691   896   NtQueryValueKey  (200,  (200, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (200, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01692   896   NtClose  (200, ... ) == 0x0
 01693   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1239440, ... ) }, 1239440, ... ) == 0x0
 01694   896   NtCreateKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01695   896   NtSetValueKey  (200,  (200, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (200, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 01696   896   NtClose  (200, ... ) == 0x0
 01697   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1240132, ... ) }, 1240132, ... ) == 0x0
 01698   896   NtQueryValueKey  (196,  (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01699   896   NtQueryValueKey  (196,  (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01700   896   NtQueryValueKey  (196,  (196, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01701   896   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "History"}, ... 200, ) }, ... 200, ) == 0x0
 01702   896   NtQueryValueKey  (200,  (200, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   896   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "History"}, ... 212, ) }, ... 212, ) == 0x0
 01704   896   NtQueryValueKey  (212,  (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01705   896   NtClose  (212, ... ) == 0x0
 01706   896   NtClose  (200, ... ) == 0x0
 01707   896   NtClose  (196, ... ) == 0x0
 01708   896   NtOpenKey  (0xf, {24, 192, 0x40, 0, 0,  (0xf, {24, 192, 0x40, 0, 0, "History"}, ... 196, ) }, ... 196, ) == 0x0
 01709   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01710   896   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 01711   896   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 01712   896   NtCreateKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01713   896   NtQueryValueKey  (200,  (200, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (200, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01714   896   NtClose  (200, ... ) == 0x0
 01715   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1239440, ... ) }, 1239440, ... ) == 0x0
 01716   896   NtCreateKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01717   896   NtSetValueKey  (200,  (200, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (200, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 01718   896   NtClose  (200, ... ) == 0x0
 01719   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1240132, ... ) }, 1240132, ... ) == 0x0
 01720   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1239340, ... ) }, 1239340, ... ) == 0x0
 01721   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 200, {status=0x0, info=1}, ) }, 7, 2113568, ... 200, {status=0x0, info=1}, ) == 0x0
 01722   896   NtSetInformationFile  (200, 1239312, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01723   896   NtClose  (200, ... ) == 0x0
 01724   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 1239336, ... ) }, 1239336, ... ) == 0x0
 01725   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1240132, ... ) }, 1240132, ... ) == 0x0
 01726   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1239340, ... ) }, 1239340, ... ) == 0x0
 01727   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 200, {status=0x0, info=1}, ) }, 7, 2113568, ... 200, {status=0x0, info=1}, ) == 0x0
 01728   896   NtSetInformationFile  (200, 1239312, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01729   896   NtClose  (200, ... ) == 0x0
 01730   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1239336, ... ) }, 1239336, ... ) == 0x0
 01731   896   NtQueryValueKey  (196,  (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01732   896   NtQueryValueKey  (196,  (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (196, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01733   896   NtQueryValueKey  (196,  (196, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01734   896   NtClose  (196, ... ) == 0x0
 01735   896   NtClose  (192, ... ) == 0x0
 01736   896   NtClose  (188, ... ) == 0x0
 01737   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 188, ) }, ... 188, ) == 0x0
 01738   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 192, ) }, ... 192, ) == 0x0
 01739   896   NtWaitForSingleObject  (192, 0, 0x0, ... ) == 0x0
 01740   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241440, ... ) }, 1241440, ... ) == 0x0
 01741   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 196, {status=0x0, info=1}, ) }, 7, 2113568, ... 196, {status=0x0, info=1}, ) == 0x0
 01742   896   NtSetInformationFile  (196, 1241416, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01743   896   NtClose  (196, ... ) == 0x0
 01744   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241356,  (0xc0100080, {24, 0, 0x40, 0, 1241356, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01745   896   NtSetInformationFile  (196, 1241408, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01746   896   NtQueryInformationFile  (196, 1241408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01747   896   NtOpenSection  (0x2, {24, 68, 0x0, 0, 0,  (0x2, {24, 68, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 200, ) }, ... 200, ) == 0x0
 01748   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1110000), {0, 0}, 802816, ) == 0x0
 01749   896   NtReleaseMutant  (192, ... 0x0, ) == 0x0
 01750   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 212, ) }, ... 212, ) == 0x0
 01751   896   NtWaitForSingleObject  (212, 0, 0x0, ... ) == 0x0
 01752   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 1241440, ... ) }, 1241440, ... ) == 0x0
 01753   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 216, {status=0x0, info=1}, ) }, 7, 2113568, ... 216, {status=0x0, info=1}, ) == 0x0
 01754   896   NtSetInformationFile  (216, 1241416, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01755   896   NtClose  (216, ... ) == 0x0
 01756   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241356,  (0xc0100080, {24, 0, 0x40, 0, 1241356, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 216, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 216, {status=0x0, info=1}, ) == 0x0
 01757   896   NtSetInformationFile  (216, 1241408, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01758   896   NtQueryInformationFile  (216, 1241408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01759   896   NtOpenSection  (0x2, {24, 68, 0x0, 0, 0,  (0x2, {24, 68, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 220, ) }, ... 220, ) == 0x0
 01760   896   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1060000), {0, 0}, 32768, ) == 0x0
 01761   896   NtReleaseMutant  (212, ... 0x0, ) == 0x0
 01762   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 224, ) }, ... 224, ) == 0x0
 01763   896   NtWaitForSingleObject  (224, 0, 0x0, ... ) == 0x0
 01764   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1241440, ... ) }, 1241440, ... ) == 0x0
 01765   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 228, {status=0x0, info=1}, ) }, 7, 2113568, ... 228, {status=0x0, info=1}, ) == 0x0
 01766   896   NtSetInformationFile  (228, 1241416, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01767   896   NtClose  (228, ... ) == 0x0
 01768   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241356,  (0xc0100080, {24, 0, 0x40, 0, 1241356, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 228, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 228, {status=0x0, info=1}, ) == 0x0
 01769   896   NtSetInformationFile  (228, 1241408, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01770   896   NtQueryInformationFile  (228, 1241408, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01771   896   NtOpenSection  (0x2, {24, 68, 0x0, 0, 0,  (0x2, {24, 68, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 232, ) }, ... 232, ) == 0x0
 01772   896   NtMapViewOfSection  (232, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1070000), {0, 0}, 81920, ) == 0x0
 01773   896   NtReleaseMutant  (224, ... 0x0, ) == 0x0
 01774   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 01775   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 236, {status=0x0, info=1}, ) }, 7, 2113568, ... 236, {status=0x0, info=1}, ) == 0x0
 01776   896   NtSetInformationFile  (236, 1240988, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01777   896   NtClose  (236, ... ) == 0x0
 01778   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241012, ... ) }, 1241012, ... ) == 0x0
 01779   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 01780   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 236, {status=0x0, info=1}, ) }, 7, 2113568, ... 236, {status=0x0, info=1}, ) == 0x0
 01781   896   NtSetInformationFile  (236, 1240988, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01782   896   NtClose  (236, ... ) == 0x0
 01783   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1241012, ... ) }, 1241012, ... ) == 0x0
 01784   896   NtWaitForSingleObject  (192, 0, 0x0, ... ) == 0x0
 01785   896   NtReleaseMutant  (192, ... 0x0, ) == 0x0
 01786   896   NtOpenKey  (0xf, {24, 76, 0x40, 0, 0,  (0xf, {24, 76, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 236, ) }, ... 236, ) == 0x0
 01787   896   NtOpenKey  (0xf, {24, 236, 0x40, 0, 0,  (0xf, {24, 236, 0x40, 0, 0, "Extensible Cache"}, ... 240, ) }, ... 240, ) == 0x0
 01788   896   NtClose  (236, ... ) == 0x0
 01789   896   NtWaitForSingleObject  (188, 0, {-600000000, -1}, ... ) == 0x0
 01790   896   NtEnumerateKey  (240, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (240, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 01791   896   NtOpenKey  (0xf, {24, 240, 0x40, 0, 0,  (0xf, {24, 240, 0x40, 0, 0, "feedplat"}, ... 236, ) }, ... 236, ) == 0x0
 01792   896   NtQueryValueKey  (236,  (236, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01793   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01794   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01795   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01796   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01797   896   NtQueryValueKey  (236,  (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 01798   896   NtQueryValueKey  (236,  (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 01799   896   NtQueryValueKey  (236,  (236, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01800   896   NtQueryValueKey  (236,  (236, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01801   896   NtClose  (236, ... ) == 0x0
 01802   896   NtEnumerateKey  (240, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name= (240, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name="MSHist012008050720080508"}, 64, ) }, 64, ) == 0x0
 01803   896   NtOpenKey  (0xf, {24, 240, 0x40, 0, 0,  (0xf, {24, 240, 0x40, 0, 0, "MSHist012008050720080508"}, ... 236, ) }, ... 236, ) == 0x0
 01804   896   NtQueryValueKey  (236,  (236, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01805   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01806   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (236, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 01807   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01808   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (236, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 01809   896   NtQueryValueKey  (236,  (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01810   896   NtQueryValueKey  (236,  (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01811   896   NtQueryValueKey  (236,  (236, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01812   896   NtQueryValueKey  (236,  (236, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01813   896   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01814   896   NtClose  (236, ... ) == 0x0
 01815   896   NtEnumerateKey  (240, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (240, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 01816   896   NtOpenKey  (0xf, {24, 240, 0x40, 0, 0,  (0xf, {24, 240, 0x40, 0, 0, "UserData"}, ... 236, ) }, ... 236, ) == 0x0
 01817   896   NtQueryValueKey  (236,  (236, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01818   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01819   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 01820   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01821   896   NtQueryValueKey  (236,  (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (236, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 01822   896   NtQueryValueKey  (236,  (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 01823   896   NtQueryValueKey  (236,  (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 01824   896   NtQueryValueKey  (236,  (236, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 01825   896   NtQueryValueKey  (236,  (236, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 01826   896   NtClose  (236, ... ) == 0x0
 01827   896   NtEnumerateKey  (240, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01828   896   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01829   896   NtClose  (240, ... ) == 0x0
 01830   896   NtWaitForSingleObject  (192, 0, 0x0, ... ) == 0x0
 01831   896   NtReleaseMutant  (192, ... 0x0, ) == 0x0
 01832   896   NtWaitForSingleObject  (192, 0, 0x0, ... ) == 0x0
 01833   896   NtReleaseMutant  (192, ... 0x0, ) == 0x0
 01834   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01835   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01840   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 240, ) }, ... 240, ) == 0x0
 01842   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   896   NtOpenKey  (0x1, {24, 240, 0x40, 0, 0,  (0x1, {24, 240, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844   896   NtClose  (240, ... ) == 0x0
 01845   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 240, ) }, ... 240, ) == 0x0
 01848   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01849   896   NtOpenKey  (0x1, {24, 240, 0x40, 0, 0,  (0x1, {24, 240, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   896   NtClose  (240, ... ) == 0x0
 01851   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 240, ) }, ... 240, ) == 0x0
 01854   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01855   896   NtOpenKey  (0x1, {24, 240, 0x40, 0, 0,  (0x1, {24, 240, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   896   NtClose  (240, ... ) == 0x0
 01857   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01858   896   NtQueryValueKey  (160,  (160, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01860   896   NtQueryValueKey  (240,  (240, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   896   NtClose  (240, ... ) == 0x0
 01862   896   NtQueryValueKey  (160,  (160, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01863   896   NtQueryValueKey  (160,  (160, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01864   896   NtQueryValueKey  (160,  (160, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01865   896   NtQueryValueKey  (160,  (160, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01866   896   NtQueryValueKey  (160,  (160, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   896   NtQueryValueKey  (160,  (160, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868   896   NtQueryValueKey  (160,  (160, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   896   NtQueryValueKey  (160,  (160, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   896   NtQueryValueKey  (160,  (160, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01872   896   NtQueryValueKey  (240,  (240, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873   896   NtClose  (240, ... ) == 0x0
 01874   896   NtQueryValueKey  (160,  (160, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01876   896   NtQueryValueKey  (240,  (240, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   896   NtClose  (240, ... ) == 0x0
 01878   896   NtQueryValueKey  (160,  (160, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01879   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01880   896   NtQueryValueKey  (240,  (240, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   896   NtClose  (240, ... ) == 0x0
 01882   896   NtQueryValueKey  (160,  (160, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01884   896   NtQueryValueKey  (240,  (240, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   896   NtClose  (240, ... ) == 0x0
 01886   896   NtQueryValueKey  (160,  (160, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   896   NtQueryValueKey  (160,  (160, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888   896   NtQueryValueKey  (160,  (160, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 240, ) }, ... 240, ) == 0x0
 01890   896   NtQueryValueKey  (240,  (240, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   896   NtClose  (240, ... ) == 0x0
 01892   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01895   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 240, ) }, ... 240, ) == 0x0
 01896   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 236, ) }, ... 236, ) == 0x0
 01897   896   NtQueryValueKey  (236,  (236, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898   896   NtQueryValueKey  (240,  (240, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899   896   NtClose  (240, ... ) == 0x0
 01900   896   NtClose  (236, ... ) == 0x0
 01901   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01904   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905   896   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906   896   NtClose  (236, ... ) == 0x0
 01907   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01908   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01910   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911   896   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01912   896   NtClose  (236, ... ) == 0x0
 01913   896   NtQueryValueKey  (160,  (160, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914   896   NtQueryValueKey  (160,  (160, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01916   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01918   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919   896   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920   896   NtClose  (236, ... ) == 0x0
 01921   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01922   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01924   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925   896   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 240, ) }, ... 240, ) == 0x0
 01926   896   NtQueryValueKey  (240,  (240, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01927   896   NtQueryValueKey  (240,  (240, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01928   896   NtClose  (240, ... ) == 0x0
 01929   896   NtClose  (236, ... ) == 0x0
 01930   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01932   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01933   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01934   896   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   896   NtClose  (236, ... ) == 0x0
 01936   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01937   896   NtQueryValueKey  (236,  (236, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01938   896   NtClose  (236, ... ) == 0x0
 01939   896   NtQueryValueKey  (160,  (160, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940   896   NtQueryValueKey  (160,  (160, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941   896   NtQueryValueKey  (160,  (160, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01942   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01943   896   NtQueryValueKey  (236,  (236, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01944   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01945   896   NtQueryValueKey  (240,  (240, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01946   896   NtClose  (236, ... ) == 0x0
 01947   896   NtClose  (240, ... ) == 0x0
 01948   896   NtQueryValueKey  (160,  (160, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01949   896   NtQueryValueKey  (160,  (160, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950   896   NtQueryValueKey  (160,  (160, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01951   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01952   896   NtQueryValueKey  (240,  (240, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01953   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01954   896   NtQueryValueKey  (236,  (236, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955   896   NtClose  (240, ... ) == 0x0
 01956   896   NtClose  (236, ... ) == 0x0
 01957   896   NtQueryValueKey  (160,  (160, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01958   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01959   896   NtQueryValueKey  (236,  (236, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01960   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01961   896   NtQueryValueKey  (240,  (240, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   896   NtClose  (236, ... ) == 0x0
 01963   896   NtClose  (240, ... ) == 0x0
 01964   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01965   896   NtQueryValueKey  (240,  (240, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01967   896   NtQueryValueKey  (236,  (236, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   896   NtClose  (240, ... ) == 0x0
 01969   896   NtClose  (236, ... ) == 0x0
 01970   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01971   896   NtQueryValueKey  (236,  (236, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01973   896   NtQueryValueKey  (240,  (240, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974   896   NtClose  (236, ... ) == 0x0
 01975   896   NtClose  (240, ... ) == 0x0
 01976   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01977   896   NtQueryValueKey  (240,  (240, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   896   NtClose  (240, ... ) == 0x0
 01979   896   NtOpenKey  (0x1, {24, 76, 0x40, 0, 0,  (0x1, {24, 76, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 240, ) }, ... 240, ) == 0x0
 01980   896   NtQueryValueKey  (240,  (240, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01982   896   NtQueryValueKey  (236,  (236, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01983   896   NtClose  (240, ... ) == 0x0
 01984   896   NtClose  (236, ... ) == 0x0
 01985   896   NtQueryValueKey  (160,  (160, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01986   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01987   896   NtQueryValueKey  (236,  (236, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01988   896   NtClose  (236, ... ) == 0x0
 01989   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01990   896   NtQueryValueKey  (236,  (236, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01991   896   NtClose  (236, ... ) == 0x0
 01992   896   NtQueryValueKey  (160,  (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01993   896   NtQueryValueKey  (160,  (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01994   896   NtQueryValueKey  (160,  (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01995   896   NtQueryValueKey  (160,  (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01996   896   NtQueryValueKey  (160,  (160, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01997   896   NtQueryValueKey  (160,  (160, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   896   NtQueryValueKey  (160,  (160, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   896   NtQueryValueKey  (160,  (160, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   896   NtQueryValueKey  (160,  (160, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (160, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02001   896   NtQueryValueKey  (160,  (160, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02002   896   NtQueryValueKey  (160,  (160, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02003   896   NtQueryValueKey  (160,  (160, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   896   NtQueryValueKey  (160,  (160, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   896   NtQueryValueKey  (160,  (160, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   896   NtQueryValueKey  (160,  (160, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007   896   NtQueryValueKey  (160,  (160, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 236, ) }, ... 236, ) == 0x0
 02009   896   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 240, ) == 0x0
 02010   896   NtQueryValueKey  (160,  (160, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02011   896   NtWaitForSingleObject  (192, 0, 0x0, ... ) == 0x0
 02012   896   NtReleaseMutant  (192, ... 0x0, ) == 0x0
 02013   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 244, ) }, ... 244, ) == 0x0
 02014   896   NtOpenMutant  (0x100000, {24, 68, 0x0, 0, 0,  (0x100000, {24, 68, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 248, ) }, ... 248, ) == 0x0
 02015   896   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 252, ) == 0x0
 02016   896   NtQueryValueKey  (160,  (160, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02017   896   NtQueryValueKey  (160,  (160, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02018   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 256, ) == 0x0
 02019   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 260, ) }, ... 260, ) == 0x0
 02020   896   NtQueryValueKey  (260,  (260, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 02021   896   NtQueryValueKey  (260,  (260, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (260, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 02022   896   NtClose  (260, ... ) == 0x0
 02023   896   NtQueryValueKey  (160,  (160, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   896   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02025   896   NtQueryValueKey  (160,  (160, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02026   896   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 260, ) == 0x0
 02027   896   NtWaitForSingleObject  (260, 0, 0x0, ... ) == 0x0
 02028   896   NtClearEvent  (260, ... ) == 0x0
 02029   896   NtSetEvent  (260, ... 0x0, ) == 0x0
 02030   896   NtClearEvent  (240, ... ) == 0x0
 02031   896   NtSetEvent  (240, ... 0x0, ) == 0x0
 02032   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02033   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240328, ... ) }, 1240328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icmp.dll"}, 1240328, ... ) }, 1240328, ... ) == 0x0
 02035   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icmp.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 02036   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 268, ) == 0x0
 02037   896   NtQuerySection  (268, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02038   896   NtClose  (264, ... ) == 0x0
 02039   896   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 02040   896   NtClose  (268, ... ) == 0x0
 02041   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02042   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240784, ... ) }, 1240784, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1240784, ... ) }, 1240784, ... ) == 0x0
 02044   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 268, {status=0x0, info=1}, ) }, 5, 96, ... 268, {status=0x0, info=1}, ) == 0x0
 02045   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 268, ... 264, ) == 0x0
 02046   896   NtQuerySection  (264, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02047   896   NtClose  (268, ... ) == 0x0
 02048   896   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 02049   896   NtClose  (264, ... ) == 0x0
 02050   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02051   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02052   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02053   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02054   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02055   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02056   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02057   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02058   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02059   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02060   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02061   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02062   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02063   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02064   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02065   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02066   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02067   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02068   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02070   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17367040, 65536, ) == 0x0
 02071   896   NtAllocateVirtualMemory  (-1, 17367040, 0, 4096, 4096, 4, ... 17367040, 4096, ) == 0x0
 02072   896   NtAllocateVirtualMemory  (-1, 17371136, 0, 8192, 4096, 4, ... 17371136, 8192, ) == 0x0
 02073   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 02074   896   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) == 0x0
 02075   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02076   896   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 276, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 276, {status=0x0, info=0}, ) == 0x0
 02077   896   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241508,  (0x20100080, {24, 0, 0x40, 0, 1241508, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=0}, ) == 0x0
 02078   896   NtAllocateVirtualMemory  (-1, 17379328, 0, 36864, 4096, 4, ... 17379328, 36864, ) == 0x0
 02079   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02080   896   NtDeviceIoControlFile  (264, 284, 0x0, 0x0, 0x120003,  (264, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (264, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02081   896   NtClose  (284, ... ) == 0x0
 02082   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02083   896   NtDeviceIoControlFile  (264, 284, 0x0, 0x0, 0x120003,  (264, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (264, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 02084   896   NtClose  (284, ... ) == 0x0
 02085   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02086   896   NtDeviceIoControlFile  (264, 284, 0x0, 0x0, 0x120003,  (264, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363m\201\1\0\0\0\5\0\0\0\232A\250\25\364\221\244\6\375\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0.;k\0\377\221\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (264, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363m\201\1\0\0\0\5\0\0\0\232A\250\25\364\221\244\6\375\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0.;k\0\377\221\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 02087   896   NtClose  (284, ... ) == 0x0
 02088   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02089   896   NtDeviceIoControlFile  (264, 284, 0x0, 0x0, 0x120003,  (264, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (264, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02090   896   NtClose  (284, ... ) == 0x0
 02091   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02092   896   NtDeviceIoControlFile  (264, 284, 0x0, 0x0, 0x120003,  (264, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (264, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 02093   896   NtClose  (284, ... ) == 0x0
 02094   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 02095   896   NtDeviceIoControlFile  (264, 284, 0x0, 0x0, 0x120003,  (264, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (264, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 02096   896   NtClose  (284, ... ) == 0x0
 02097   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 284, ) == 0x0
 02098   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 288, ) == 0x0
 02099   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02100   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02101   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02102   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02103   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02104   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02105   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02106   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02107   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02108   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02109   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02110   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02111   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02112   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02113   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02114   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02115   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02116   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02117   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02118   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02119   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02120   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02121   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02122   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02123   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02124   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02125   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02126   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02127   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02128   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02129   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02130   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02131   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02132   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02133   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02134   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02135   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02136   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02137   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02138   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02139   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02140   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02141   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02142   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02143   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02144   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02145   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02146   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02147   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02148   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02149   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02150   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02151   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02152   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02153   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02154   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02155   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02156   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02157   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02158   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02159   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02160   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02161   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02162   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02163   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02164   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02165   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02166   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02167   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02168   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02169   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02170   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02171   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02172   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02173   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02174   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02175   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02176   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02177   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02178   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02179   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02180   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02181   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02182   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02183   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02184   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02185   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02186   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02187   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02188   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02189   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02190   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02191   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02192   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02193   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02195   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02196   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02197   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02198   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02199   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02200   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02201   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02202   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02203   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02204   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02205   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02206   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02207   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02208   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02209   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02210   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02211   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02212   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02213   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02214   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02215   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02216   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02217   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02218   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02219   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17432576, 65536, ) == 0x0
 02220   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02221   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 1, 4096, 4, ... 17432576, 4096, ) == 0x0
 02222   896   NtQueryVirtualMemory  (-1, 0x10a0000, Basic, 28, ... {BaseAddress=0x10a0000,AllocationBase=0x10a0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02223   896   NtFreeVirtualMemory  (-1, (0x10a0000), 0, 32768, ... (0x10a0000), 65536, ) == 0x0
 02224   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 292, ) }, ... 292, ) == 0x0
 02225   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 296, ) }, ... 296, ) == 0x0
 02226   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 300, ) }, ... 300, ) == 0x0
 02227   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 02228   896   NtQueryDefaultLocale  (1, 1241488, ... ) == 0x0
 02229   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... 308, ) }, ... 308, ) == 0x0
 02231   896   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 02232   896   NtClose  (308, ... ) == 0x0
 02233   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02234   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02235   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02236   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02237   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02238   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02239   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02240   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02241   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02242   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02243   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02244   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02245   896   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02246   896   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02247   896   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02248   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02249   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "dnsapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02250   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dnsapi.dll"}, 1240328, ... ) }, 1240328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02251   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dnsapi.dll"}, 1240328, ... ) }, 1240328, ... ) == 0x0
 02252   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dnsapi.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02253   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 312, ) == 0x0
 02254   896   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02255   896   NtClose  (308, ... ) == 0x0
 02256   896   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 02257   896   NtClose  (312, ... ) == 0x0
 02258   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02259   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02260   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02261   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02262   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02263   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02264   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02265   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02266   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02267   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02268   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02269   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02270   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02271   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02272   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02273   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02274   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02275   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02276   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dnsapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02277   896   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 312, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 312, 2, ) , 0, ... 312, 2, ) == 0x0
 02278   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 308, ) }, ... 308, ) == 0x0
 02279   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   896   NtQueryValueKey  (308,  (308, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02281   896   NtQueryValueKey  (312,  (312, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02282   896   NtQueryValueKey  (308,  (308, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   896   NtQueryValueKey  (312,  (312, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02284   896   NtQueryValueKey  (308,  (308, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285   896   NtQueryValueKey  (312,  (312, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02286   896   NtQueryValueKey  (308,  (308, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287   896   NtQueryValueKey  (312,  (312, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288   896   NtQueryValueKey  (308,  (308, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02289   896   NtQueryValueKey  (308,  (308, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   896   NtQueryValueKey  (308,  (308, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   896   NtQueryValueKey  (308,  (308, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02292   896   NtQueryValueKey  (308,  (308, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   896   NtQueryValueKey  (308,  (308, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   896   NtQueryValueKey  (308,  (308, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02295   896   NtQueryValueKey  (308,  (308, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   896   NtQueryValueKey  (308,  (308, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   896   NtQueryValueKey  (312,  (312, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   896   NtQueryValueKey  (308,  (308, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02299   896   NtQueryValueKey  (308,  (308, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02300   896   NtQueryValueKey  (312,  (312, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02301   896   NtQueryValueKey  (308,  (308, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02302   896   NtQueryValueKey  (312,  (312, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   896   NtQueryValueKey  (308,  (308, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02304   896   NtQueryValueKey  (312,  (312, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02305   896   NtQueryValueKey  (308,  (308, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02306   896   NtQueryValueKey  (312,  (312, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02307   896   NtQueryValueKey  (308,  (308, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02308   896   NtQueryValueKey  (312,  (312, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02309   896   NtQueryValueKey  (308,  (308, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   896   NtQueryValueKey  (312,  (312, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02311   896   NtQueryValueKey  (308,  (308, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312   896   NtQueryValueKey  (312,  (312, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313   896   NtQueryValueKey  (308,  (308, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   896   NtQueryValueKey  (308,  (308, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02315   896   NtQueryValueKey  (308,  (308, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   896   NtQueryValueKey  (308,  (308, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   896   NtQueryValueKey  (308,  (308, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318   896   NtQueryValueKey  (308,  (308, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02319   896   NtQueryValueKey  (308,  (308, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02320   896   NtQueryValueKey  (308,  (308, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321   896   NtQueryValueKey  (308,  (308, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02322   896   NtQueryValueKey  (308,  (308, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   896   NtQueryValueKey  (308,  (308, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02324   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02325   896   NtQueryValueKey  (316,  (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02326   896   NtClose  (316, ... ) == 0x0
 02327   896   NtClose  (312, ... ) == 0x0
 02328   896   NtClose  (308, ... ) == 0x0
 02329   896   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 308, ) }, ... 308, ) == 0x0
 02330   896   NtQueryValueKey  (308,  (308, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   896   NtQueryValueKey  (308,  (308, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02332   896   NtQueryValueKey  (308,  (308, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   896   NtClose  (308, ... ) == 0x0
 02334   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240328, ... ) }, 1240328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbc32.dll"}, 1240328, ... ) }, 1240328, ... ) == 0x0
 02337   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbc32.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02338   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 312, ) == 0x0
 02339   896   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02340   896   NtClose  (308, ... ) == 0x0
 02341   896   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74320000), 0x0, 249856, ) == 0x0
 02342   896   NtClose  (312, ... ) == 0x0
 02343   896   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02344   896   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02345   896   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02346   896   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02347   896   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02348   896   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02349   896   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02350   896   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02351   896   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02352   896   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02353   896   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02354   896   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02355   896   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02356   896   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02357   896   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02358   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 312, ) }, ... 312, ) == 0x0
 02359   896   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 299008, ) == 0x0
 02360   896   NtClose  (312, ... ) == 0x0
 02361   896   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02362   896   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02363   896   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02364   896   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02365   896   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02366   896   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02367   896   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02368   896   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02369   896   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02370   896   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02371   896   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02372   896   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02373   896   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02374   896   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02375   896   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02376   896   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02377   896   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02378   896   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02379   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comdlg32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   896   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06c
 02381   896   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06d
 02382   896   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06e
 02383   896   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06f
 02384   896   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc070
 02385   896   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc071
 02386   896   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc072
 02387   896   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc073
 02388   896   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06f
 02389   896   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc070
 02390   896   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc071
 02391   896   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc072
 02392   896   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc073
 02393   896   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc074
 02394   896   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc075
 02395   896   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc075
 02396   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\BidInterface\Loader"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02399   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02400   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02401   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02402   896   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 17432576, 262144, ) == 0x0
 02403   896   NtAllocateVirtualMemory  (-1, 17432576, 0, 4096, 4096, 4, ... 17432576, 4096, ) == 0x0
 02404   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02405   896   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 18743296, 262144, ) == 0x0
 02406   896   NtAllocateVirtualMemory  (-1, 18743296, 0, 4096, 4096, 4, ... 18743296, 4096, ) == 0x0
 02407   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02408   896   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19005440, 262144, ) == 0x0
 02409   896   NtAllocateVirtualMemory  (-1, 19005440, 0, 4096, 4096, 4, ... 19005440, 4096, ) == 0x0
 02410   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02411   896   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 19267584, 262144, ) == 0x0
 02412   896   NtAllocateVirtualMemory  (-1, 19267584, 0, 4096, 4096, 4, ... 19267584, 4096, ) == 0x0
 02413   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02414   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02415   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02416   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02417   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 1236700, ... ) }, 1236700, ... ) == 0x0
 02418   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02419   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ... 308, ) == 0x0
 02420   896   NtClose  (312, ... ) == 0x0
 02421   896   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x10e0000), 0x0, 94208, ) == 0x0
 02422   896   NtClose  (308, ... ) == 0x0
 02423   896   NtUnmapViewOfSection  (-1, 0x10e0000, ... ) == 0x0
 02424   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 1237008, ... ) }, 1237008, ... ) == 0x0
 02425   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02426   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 312, ) == 0x0
 02427   896   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02428   896   NtClose  (308, ... ) == 0x0
 02429   896   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x20000000), 0x0, 94208, ) == 0x0
 02430   896   NtClose  (312, ... ) == 0x0
 02431   896   NtQueryDefaultLocale  (1, 1238840, ... ) == 0x0
 02432   896   NtAllocateVirtualMemory  (-1, 17436672, 0, 4096, 4096, 4, ... 17436672, 4096, ) == 0x0
 02433   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE"}, ... 312, ) }, ... 312, ) == 0x0
 02434   896   NtClose  (312, ... ) == 0x0
 02435   896   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02437   896   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02438   896   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02439   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odbcint.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02440   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02441   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240328, ... ) }, 1240328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02442   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\avicap32.dll"}, 1240328, ... ) }, 1240328, ... ) == 0x0
 02443   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\avicap32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02444   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 308, ) == 0x0
 02445   896   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02446   896   NtClose  (312, ... ) == 0x0
 02447   896   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 02448   896   NtClose  (308, ... ) == 0x0
 02449   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02450   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02451   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02452   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02453   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02454   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02455   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02456   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02457   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02458   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02459   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02460   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02461   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02462   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1239512, ... ) }, 1239512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02463   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 1239512, ... ) }, 1239512, ... ) == 0x0
 02464   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02465   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 312, ) == 0x0
 02466   896   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02467   896   NtClose  (308, ... ) == 0x0
 02468   896   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 02469   896   NtClose  (312, ... ) == 0x0
 02470   896   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02471   896   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02472   896   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02473   896   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02474   896   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02475   896   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02476   896   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02477   896   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02478   896   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02479   896   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02480   896   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02481   896   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02482   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02483   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02484   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02485   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02486   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02487   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02488   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02489   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02490   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02491   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02492   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239512, ... ) }, 1239512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02493   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVFW32.dll"}, 1239512, ... ) }, 1239512, ... ) == 0x0
 02494   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVFW32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02495   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 308, ) == 0x0
 02496   896   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02497   896   NtClose  (312, ... ) == 0x0
 02498   896   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 135168, ) == 0x0
 02499   896   NtClose  (308, ... ) == 0x0
 02500   896   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02501   896   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02502   896   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02503   896   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02504   896   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02505   896   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02506   896   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02507   896   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02508   896   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02509   896   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02510   896   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02511   896   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02512   896   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02513   896   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02514   896   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02515   896   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02516   896   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02517   896   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02518   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02519   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 02520   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 312, ) == 0x0
 02521   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 316, ) == 0x0
 02522   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 320, ) }, ... 320, ) == 0x0
 02523   896   NtQueryValueKey  (320,  (320, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02524   896   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 19529728, 524288, ) == 0x0
 02525   896   NtAllocateVirtualMemory  (-1, 19529728, 0, 4096, 4096, 4, ... 19529728, 4096, ) == 0x0
 02526   896   NtQueryValueKey  (320,  (320, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02527   896   NtQueryValueKey  (320,  (320, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02528   896   NtQueryValueKey  (320,  (320, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02529   896   NtQueryValueKey  (320,  (320, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   896   NtQueryValueKey  (320,  (320, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02531   896   NtQueryValueKey  (320,  (320, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   896   NtQueryValueKey  (320,  (320, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02533   896   NtQueryValueKey  (320,  (320, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02534   896   NtQueryValueKey  (320,  (320, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02535   896   NtQueryValueKey  (320,  (320, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02536   896   NtQueryValueKey  (320,  (320, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02537   896   NtQueryValueKey  (320,  (320, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02538   896   NtQueryValueKey  (320,  (320, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02539   896   NtQueryValueKey  (320,  (320, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02540   896   NtQueryValueKey  (320,  (320, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02541   896   NtQueryValueKey  (320,  (320, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02542   896   NtQueryValueKey  (320,  (320, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02543   896   NtQueryValueKey  (320,  (320, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02544   896   NtQueryValueKey  (320,  (320, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02545   896   NtQueryValueKey  (320,  (320, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02546   896   NtQueryValueKey  (320,  (320, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02547   896   NtQueryValueKey  (320,  (320, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02548   896   NtQueryValueKey  (320,  (320, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02549   896   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 02550   896   NtQueryValueKey  (320,  (320, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02551   896   NtQueryValueKey  (320,  (320, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02552   896   NtQueryValueKey  (320,  (320, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02553   896   NtQueryValueKey  (320,  (320, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02554   896   NtQueryValueKey  (320,  (320, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02555   896   NtQueryValueKey  (320,  (320, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02556   896   NtQueryValueKey  (320,  (320, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02557   896   NtQueryValueKey  (320,  (320, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02558   896   NtQueryValueKey  (320,  (320, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02559   896   NtQueryValueKey  (320,  (320, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02560   896   NtQueryValueKey  (320,  (320, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02561   896   NtQueryValueKey  (320,  (320, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02562   896   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 02563   896   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 324, ) }, ... 324, ) == 0x0
 02564   896   NtQueryValueKey  (324,  (324, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (324, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02565   896   NtClose  (324, ... ) == 0x0
 02566   896   NtCreateEvent  (0x1f0003, {24, 68, 0x80, 0, 0,  (0x1f0003, {24, 68, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 02567   896   NtQueryValueKey  (320,  (320, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02568   896   NtQueryValueKey  (320,  (320, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02569   896   NtQueryValueKey  (320,  (320, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02570   896   NtQueryValueKey  (320,  (320, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (320, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02571   896   NtQueryValueKey  (320,  (320, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02572   896   NtQueryValueKey  (320,  (320, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02573   896   NtQueryValueKey  (320,  (320, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02574   896   NtQueryValueKey  (320,  (320, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02575   896   NtQueryValueKey  (320,  (320, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02576   896   NtQueryValueKey  (320,  (320, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02577   896   NtQueryValueKey  (320,  (320, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02578   896   NtQueryValueKey  (320,  (320, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02579   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02580   896   NtQueryDefaultLocale  (1, 1240360, ... ) == 0x0
 02581   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   896   NtQueryDefaultLocale  (1, 1240364, ... ) == 0x0
 02583   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02584   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02585   896   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 17694720, 4096, ) == 0x0
 02586   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 17760256, 4096, ) == 0x0
 02587   896   NtCreateMutant  (0x1f0001, {24, 68, 0x80, 0, 0,  (0x1f0001, {24, 68, 0x80, 0, 0, "XxerooxX"}, 0, ... 324, ) }, 0, ... 324, ) == 0x0
 02588   896   NtAllocateVirtualMemory  (-1, 0, 0, 28, 4096, 64, ... 20054016, 4096, ) == 0x0
 02589   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20119552, 4096, ) == 0x0
 02590   896   NtWaitForSingleObject  (324, 0, {-300000000, -1}, ... ) == 0x0
 02591   896   NtAllocateVirtualMemory  (-1, 0, 0, 44, 4096, 64, ... 20185088, 4096, ) == 0x0
 02592   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20250624, 4096, ) == 0x0
 02593   896   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 20316160, 4096, ) == 0x0
 02594   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20381696, 4096, ) == 0x0
 02595   896   NtAllocateVirtualMemory  (-1, 0, 0, 55, 4096, 64, ... 20447232, 4096, ) == 0x0
 02596   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20512768, 4096, ) == 0x0
 02597   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe"}, 1242336, ... ) }, 1242336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02598   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241224,  (0x80100080, {24, 0, 0x40, 0, 1241224, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 02599   896   NtQueryInformationFile  (328, 1241660, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02600   896   NtQueryInformationFile  (328, 1241576, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02601   896   NtQueryInformationFile  (328, 1241392, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02602   896   NtAllocateVirtualMemory  (-1, 1392640, 0, 8192, 4096, 4, ... 1392640, 8192, ) == 0x0
 02603   896   NtQueryInformationFile  (328, 1392360, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02604   896   NtQueryInformationFile  (328, 1239840, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02605   896   NtQueryInformationFile  (328, 1240116, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02606   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1239992,  (0x40110080, {24, 0, 0x40, 0, 1239992, "\??\C:\WINDOWS\system32\spools.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02607   896   NtClose  (-2147481368, ... ) == 0x0
 02606   896   NtCreateFile  ... 332, {status=0x0, info=2}, ) == 0x0
 02608   896   NtQueryVolumeInformationFile  (332, 1240144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02609   896   NtQueryInformationFile  (332, 1239728, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02610   896   NtQueryVolumeInformationFile  (328, 1240144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02611   896   NtQueryVolumeInformationFile  (328, 1239488, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02612   896   NtSetInformationFile  (332, 1240044, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02613   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 328, ... 336, ) == 0x0
 02614   896   NtMapViewOfSection  (336, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x13a0000), {0, 0}, 237568, ) == 0x0
 02615   896   NtClose  (336, ... ) == 0x0
 02616   896   NtWriteFile  (332, 0, 0, 0,  (332, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\324\341\7D\265\217TD\265\217TD\265\217T?\251\203TF\265\217T\307\251\201T]\265\217T\254\252\205T8\265\217TD\265\216T\310\265\217T&\252\234TC\265\217T\254\252\204T\16\265\217TRichD\265\217T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\343\356\374G\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\0\0\0\0\220\3\0\0\360\17\0-\2\20\0\0\20\0\0\0\0\20\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\23\0\0\4\0\0\206q\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\330\0\20\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3349\16\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0.nsp0\0\0\0\0\360\17\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02617   896   NtWriteFile  (332, 0, 0, 0,  (332, 0, 0, 0, "e\376\366\230!\203\310l\266\246P*(k\26\17\267\261D\37\204\36\36A"\314?\245\374V66\311\33\320f\12\375=\334!b\346\213L\232\220\264\37{\317\276-4\266jkd\303o8\207\26\272=\11\12\364rr#/4\357\v\370\271\260\307l\377\260\306\3318\270\265\240g\200\211\35\373N\317\312\251\227\277\311\16D\246\26\351\247\3120*K\262\343\276\333\10\24E\224\321\215\20\352\313_u\206\270\30\36lr\10Zz\350q\370\7\1777\237\273\12\271\241\340s\345\376\6\363\207[|\27!i\321\210\343\24\33v\26\363T\241wS\305\33OO\205\213\13Gp\276y\2367\303\374`T7\233\362\234\235P{3Z]\177!\11\250:\225O\2\365\253R\3\335\251_\271c\34}\230pI@7\341|\372\23u\2410a\220Y\24#O9\221\322\362\215\341\14\353\1778\326\270\252D8<\336)e>\372pc:B\273\350\244{k\177z\372G\200f\332\274\212\371\33{\374\327\253\336\2\366\330i\327=\304e\247\303\305\33\3635\201\203\351r\314M\355a\304\277\207\355\311:\233\23\243\302F\355\3163l\315\346\335\261\316\377\254B0\235\24\314|J^P8\15l\276R\347"G\225O\4\351YXd\213U,\277\210};\352\230Wt\23\253B\353@\275\256O0\20\177\264\3\373Y\320\357\13\325j,\352!)H z\306\367\303\315\254Z\366\276, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \314?\245\374V66\311\33\320f\12\375=\334!b\346\213L\232\220\264\37{\317\276-4\266jkd\303o8\207\26\272=\11\12\364rr#/4\357\v\370\271\260\307l\377\260\306\3318\270\265\240g\200\211\35\373N\317\312\251\227\277\311\16D\246\26\351\247\3120*K\262\343\276\333\10\24E\224\321\215\20\352\313_u\206\270\30\36lr\10Zz\350q\370\7\1777\237\273\12\271\241\340s\345\376\6\363\207[|\27!i\321\210\343\24\33v\26\363T\241wS\305\33OO\205\213\13Gp\276y\2367\303\374`T7\233\362\234\235P{3Z]\177!\11\250:\225O\2\365\253R\3\335\251_\271c\34}\230pI@7\341|\372\23u\2410a\220Y\24#O9\221\322\362\215\341\14\353\1778\326\270\252D8<\336)e>\372pc:B\273\350\244{k\177z\372G\200f\332\274\212\371\33{\374\327\253\336\2\366\330i\327=\304e\247\303\305\33\3635\201\203\351r\314M\355a\304\277\207\355\311:\233\23\243\302F\355\3163l\315\346\335\261\316\377\254B0\235\24\314|J^P8\15l\276R\347 (332, 0, 0, 0, "e\376\366\230!\203\310l\266\246P*(k\26\17\267\261D\37\204\36\36A"\314?\245\374V66\311\33\320f\12\375=\334!b\346\213L\232\220\264\37{\317\276-4\266jkd\303o8\207\26\272=\11\12\364rr#/4\357\v\370\271\260\307l\377\260\306\3318\270\265\240g\200\211\35\373N\317\312\251\227\277\311\16D\246\26\351\247\3120*K\262\343\276\333\10\24E\224\321\215\20\352\313_u\206\270\30\36lr\10Zz\350q\370\7\1777\237\273\12\271\241\340s\345\376\6\363\207[|\27!i\321\210\343\24\33v\26\363T\241wS\305\33OO\205\213\13Gp\276y\2367\303\374`T7\233\362\234\235P{3Z]\177!\11\250:\225O\2\365\253R\3\335\251_\271c\34}\230pI@7\341|\372\23u\2410a\220Y\24#O9\221\322\362\215\341\14\353\1778\326\270\252D8<\336)e>\372pc:B\273\350\244{k\177z\372G\200f\332\274\212\371\33{\374\327\253\336\2\366\330i\327=\304e\247\303\305\33\3635\201\203\351r\314M\355a\304\277\207\355\311:\233\23\243\302F\355\3163l\315\346\335\261\316\377\254B0\235\24\314|J^P8\15l\276R\347"G\225O\4\351YXd\213U,\277\210};\352\230Wt\23\253B\353@\275\256O0\20\177\264\3\373Y\320\357\13\325j,\352!)H z\306\367\303\315\254Z\366\276, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02618   896   NtWriteFile  (332, 0, 0, 0,  (332, 0, 0, 0, "\352\336\204\274\247\210\26\6U\344\222O\270f\275R\221(\271\337\2\335\344\13\261\22P\311\212!\31o\346\20#H\260\272\223\223\276\340[S\374*=\254\300g\335\210u\305\267\354\201\357\340\317\275\255\352SUu\351\13A\205\216x\347\367"3pO\314$\2474\307\216\356\230\304\22\232\252\26550\335\0\331\270\362\13\337\352\21m\275x\205\253!\30"\265Y\306\323\14\321\314\237,\202_\7RV\210G\256x\271\334\244\223\326+\345\323\360\323\333\246\375\322\372n\34\341`n\223X!q\244\225\354\205\302\213?9\255\35\340K\301tC%\342p\22\202\230\340\231\23\0#\376\265%\234L\47\253\224\255Gf\244\31\270]\267\220\306\224\31\\256\207\251\304[\336X\34\367\367R\31`\2\217\303\307\275\377\3123x*<\235\2641&:\177]/W>\202v\364m\35\276\177\374\263\324\177\15d\212}'\224\315V)F}F\335\307Dr\2240\343\341\227\34\332]\366\2177\312\310\306\236\263\260\254\27\337\303\270}=\233\227\250\222\301\304Z\318\275\232\232\232HLt|N\362\212\341\355\341\306\305SX\265\240\376\377\264G\14U\6 Y\313\305G\252\5P\26P\336\347B\354\35a\3258K\31\344\200V\355\30\245\342\352\261\334\13D\261T\17\5z\2\365\344\317\250\253\313\232\302\217_\35\247\337\3016\271\3003\14\226f\306\305\343\341\12\254\371\317\334\347q\246\331\272\267!\217\302#[\270\372\32J\237:%\250>tY\266\356\27\225\3\355#!\276l.~\11O\354W\263\353qE\347\332\272\13\320i\212w\372&\360a\313\351\373\345wO\27\262\270\25\252", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 3pO\314$\2474\307\216\356\230\304\22\232\252\26550\335\0\331\270\362\13\337\352\21m\275x\205\253!\30 (332, 0, 0, 0, "\352\336\204\274\247\210\26\6U\344\222O\270f\275R\221(\271\337\2\335\344\13\261\22P\311\212!\31o\346\20#H\260\272\223\223\276\340[S\374*=\254\300g\335\210u\305\267\354\201\357\340\317\275\255\352SUu\351\13A\205\216x\347\367"3pO\314$\2474\307\216\356\230\304\22\232\252\26550\335\0\331\270\362\13\337\352\21m\275x\205\253!\30"\265Y\306\323\14\321\314\237,\202_\7RV\210G\256x\271\334\244\223\326+\345\323\360\323\333\246\375\322\372n\34\341`n\223X!q\244\225\354\205\302\213?9\255\35\340K\301tC%\342p\22\202\230\340\231\23\0#\376\265%\234L\47\253\224\255Gf\244\31\270]\267\220\306\224\31\\256\207\251\304[\336X\34\367\367R\31`\2\217\303\307\275\377\3123x*<\235\2641&:\177]/W>\202v\364m\35\276\177\374\263\324\177\15d\212}'\224\315V)F}F\335\307Dr\2240\343\341\227\34\332]\366\2177\312\310\306\236\263\260\254\27\337\303\270}=\233\227\250\222\301\304Z\318\275\232\232\232HLt|N\362\212\341\355\341\306\305SX\265\240\376\377\264G\14U\6 Y\313\305G\252\5P\26P\336\347B\354\35a\3258K\31\344\200V\355\30\245\342\352\261\334\13D\261T\17\5z\2\365\344\317\250\253\313\232\302\217_\35\247\337\3016\271\3003\14\226f\306\305\343\341\12\254\371\317\334\347q\246\331\272\267!\217\302#[\270\372\32J\237:%\250>tY\266\356\27\225\3\355#!\276l.~\11O\354W\263\353qE\347\332\272\13\320i\212w\372&\360a\313\351\373\345wO\27\262\270\25\252", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02619   896   NtWriteFile  (332, 0, 0, 0,  (332, 0, 0, 0, "3\4\203\3408\263\357\3630\216bRVe\306e\270\212\2\357\68:\371\354\352\327r\333;\301M\341\264\37\330\23$E*\260\275\350\376|\307\241\262\266\254&r\240P\317\306\14\347V\260pX\303k\6\370\256\251\354\263\220\2\31v\343\331\247zC_\2\361\200\376\3661\371w.\224H\355\222\256\356\310\225J\5\246\15\21fN\224\250\222\342\362\27\1772\30\342"v\36$s8\10wO\240\23\23\222\177\334\204\325P\15H\301n\201\30j^\216%\300!gf\26\203\300\262\366L\303\305*\304[2\6\374s\300\17\370\203\340F\274c.\225\203\331\0\210 \222y\334'\367\346\35\266\205a\333F\273*3[Kq\274A\314\201\315t\224c\251xn\361S"L\275\347\23\373\2\343\323M!\224\363\364\34{\317\32\333\343\363\203\305\248\333V\330\226n!\353\7\262zH+\26|\232\31\30\6\242P)\300\353\337yq\5&c.6V\315\230\316\227z\326\352r\336?\25\277\274\205mv(~\301+I\360A\242i\302Z\360=\225\260\214\241\355\303\337J\0a\275\264>\347Q\341\24>\265Im\6f\10@\3311\253\1\236\34\270\31\157\327\365\327\373f\251\34E\201\13Ok\245\210\13\234\242;\301_\213\33\204D\201\366\302)k%\272\211\226\275\22\246(_\342\204\177Z\316\347\230\4\25\203alA/L\263{?\354w+\230}\356\325\375\266\370NG\362\256\301\354\370Y\325\15v$6\210\320Z\361\342\203\221A*hN\271t\220\326\32\250H,\300\227r?W\234\340F\340\201\214\371\375q?\212i\211\243\360s\312.\260\207\311\372\14\341\244<\24\357\373\6\212wdtP\365\177\360t\275\334t\340\202gXY\15\5\271\365\311B\271`}\363h\364\201\242\222\177\16\230Sg\356", 51200, 0x0, 0, ... {status=0x0, info=51200}, ) v\36$s8\10wO\240\23\23\222\177\334\204\325P\15H\301n\201\30j^\216%\300!gf\26\203\300\262\366L\303\305*\304[2\6\374s\300\17\370\203\340F\274c.\225\203\331\0\210 \222y\334'\367\346\35\266\205a\333F\273*3[Kq\274A\314\201\315t\224c\251xn\361S (332, 0, 0, 0, "3\4\203\3408\263\357\3630\216bRVe\306e\270\212\2\357\68:\371\354\352\327r\333;\301M\341\264\37\330\23$E*\260\275\350\376|\307\241\262\266\254&r\240P\317\306\14\347V\260pX\303k\6\370\256\251\354\263\220\2\31v\343\331\247zC_\2\361\200\376\3661\371w.\224H\355\222\256\356\310\225J\5\246\15\21fN\224\250\222\342\362\27\1772\30\342"v\36$s8\10wO\240\23\23\222\177\334\204\325P\15H\301n\201\30j^\216%\300!gf\26\203\300\262\366L\303\305*\304[2\6\374s\300\17\370\203\340F\274c.\225\203\331\0\210 \222y\334'\367\346\35\266\205a\333F\273*3[Kq\274A\314\201\315t\224c\251xn\361S"L\275\347\23\373\2\343\323M!\224\363\364\34{\317\32\333\343\363\203\305\248\333V\330\226n!\353\7\262zH+\26|\232\31\30\6\242P)\300\353\337yq\5&c.6V\315\230\316\227z\326\352r\336?\25\277\274\205mv(~\301+I\360A\242i\302Z\360=\225\260\214\241\355\303\337J\0a\275\264>\347Q\341\24>\265Im\6f\10@\3311\253\1\236\34\270\31\157\327\365\327\373f\251\34E\201\13Ok\245\210\13\234\242;\301_\213\33\204D\201\366\302)k%\272\211\226\275\22\246(_\342\204\177Z\316\347\230\4\25\203alA/L\263{?\354w+\230}\356\325\375\266\370NG\362\256\301\354\370Y\325\15v$6\210\320Z\361\342\203\221A*hN\271t\220\326\32\250H,\300\227r?W\234\340F\340\201\214\371\375q?\212i\211\243\360s\312.\260\207\311\372\14\341\244<\24\357\373\6\212wdtP\365\177\360t\275\334t\340\202gXY\15\5\271\365\311B\271`}\363h\364\201\242\222\177\16\230Sg\356", 51200, 0x0, 0, ... {status=0x0, info=51200}, ) , 51200, 0x0, 0, ... {status=0x0, info=51200}, ) == 0x0
 02620   896   NtUnmapViewOfSection  (-1, 0x13a0000, ... ) == 0x0
 02621   896   NtSetInformationFile  (332, 1241392, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02622   896   NtClose  (328, ... ) == 0x0
 02623   896   NtClose  (332, ... ) == 0x0
 02624   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241212, ... ) }, 1241212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02625   896   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241212, ... ) }, 1241212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02626   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\explorer.exe"}, 1241212, ... ) }, 1241212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02627   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241212, ... ) }, 1241212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02628   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241212, ... ) }, 1241212, ... ) == 0x0
 02629   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242012,  (0x80100080, {24, 0, 0x40, 0, 1242012, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02630   896   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 20578304, 4096, ) == 0x0
 02631   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20643840, 4096, ) == 0x0
 02632   896   NtQueryInformationFile  (332, 1242064, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02633   896   NtClose  (332, ... ) == 0x0
 02634   896   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242012,  (0x40100080, {24, 0, 0x40, 0, 1242012, "\??\C:\WINDOWS\system32\spools.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02635   896   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 20709376, 4096, ) == 0x0
 02636   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20774912, 4096, ) == 0x0
 02637   896   NtSetInformationFile  (332, 1242064, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02638   896   NtClose  (332, ... ) == 0x0
 02639   896   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 20840448, 4096, ) == 0x0
 02640   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20905984, 4096, ) == 0x0
 02641   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe"}, 7, 2113568, ... 332, {status=0x0, info=1}, ) }, 7, 2113568, ... 332, {status=0x0, info=1}, ) == 0x0
 02642   896   NtSetInformationFile  (332, 1242312, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02643   896   NtClose  (332, ... ) == 0x0
 02644   896   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 20971520, 4096, ) == 0x0
 02645   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 21037056, 4096, ) == 0x0
 02646   896   NtAllocateVirtualMemory  (-1, 0, 0, 86, 4096, 64, ... 21102592, 4096, ) == 0x0
 02647   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 21168128, 4096, ) == 0x0
 02648   896   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {1252, 0}, ... 332, ) == 0x0
 02649   896   NtAllocateVirtualMemory  (-1, 0, 0, 54, 4096, 64, ... 21233664, 4096, ) == 0x0
 02650   896   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 21299200, 4096, ) == 0x0
 02651   896   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02652   896   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02653   896   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 328, ... 336, ) == 0x0
 02654   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02655   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 340, ) }, ... 340, ) == 0x0
 02656   896   NtQueryValueKey  (340,  (340, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02657   896   NtClose  (340, ... ) == 0x0
 02658   896   NtQueryVolumeInformationFile  (328, 1238688, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02659   896   NtOpenMutant  (0x120001, {24, 68, 0x0, 0, 0,  (0x120001, {24, 68, 0x0, 0, 0, "ShimCacheMutex"}, ... 340, ) }, ... 340, ) == 0x0
 02660   896   NtWaitForSingleObject  (340, 0, {-1000000, -1}, ... ) == 0x0
 02661   896   NtOpenSection  (0x2, {24, 68, 0x0, 0, 0,  (0x2, {24, 68, 0x0, 0, 0, "ShimSharedMemory"}, ... 344, ) }, ... 344, ) == 0x0
 02662   896   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1460000), {0, 0}, 57344, ) == 0x0
 02663   896   NtReleaseMutant  (340, ... 0x0, ) == 0x0
 02664   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236620, ... ) }, 1236620, ... ) == 0x0
 02665   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02666   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 348, ... 352, ) == 0x0
 02667   896   NtClose  (348, ... ) == 0x0
 02668   896   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1470000), 0x0, 126976, ) == 0x0
 02669   896   NtClose  (352, ... ) == 0x0
 02670   896   NtUnmapViewOfSection  (-1, 0x1470000, ... ) == 0x0
 02671   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236928, ... ) }, 1236928, ... ) == 0x0
 02672   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02673   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 348, ) == 0x0
 02674   896   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02675   896   NtClose  (352, ... ) == 0x0
 02676   896   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02677   896   NtClose  (348, ... ) == 0x0
 02678   896   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02679   896   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02680   896   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02681   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02682   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02683   896   NtQueryInformationFile  (348, 1236944, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02684   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 348, ... 352, ) == 0x0
 02685   896   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1470000), 0x0, 1191936, ) == 0x0
 02686   896   NtQueryInformationFile  (348, 1237044, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02687   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02688   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02689   896   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02690   896   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02691   896   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 356, ) }, ... 356, ) == 0x0
 02692   896   NtQueryValueKey  (356,  (356, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (356, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02693   896   NtClose  (356, ... ) == 0x0
 02694   896   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02695   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02696   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1234640, 616, BothDirectory, 1,  (356, 0, 0, 0, 1234640, 616, BothDirectory, 1, "spools.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 02697   896   NtClose  (356, ... ) == 0x0
 02698   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02699   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02700   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe"}, 1235016, ... ) }, 1235016, ... ) == 0x0
 02701   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02702   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1234444, 616, BothDirectory, 1,  (356, 0, 0, 0, 1234444, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02703   896   NtClose  (356, ... ) == 0x0
 02704   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02705   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1234444, 616, BothDirectory, 1,  (356, 0, 0, 0, 1234444, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02706   896   NtClose  (356, ... ) == 0x0
 02707   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02708   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1234444, 616, BothDirectory, 1,  (356, 0, 0, 0, 1234444, 616, BothDirectory, 1, "spools.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 02709   896   NtClose  (356, ... ) == 0x0
 02710   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02711   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02712   896   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02713   896   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02714   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02715   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02716   896   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02717   896   NtClose  (356, ... ) == 0x0
 02718   896   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02719   896   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\spools.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02720   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02721   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02722   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe"}, 1236268, ... ) }, 1236268, ... ) == 0x0
 02723   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02724   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1235696, 616, BothDirectory, 1,  (356, 0, 0, 0, 1235696, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02725   896   NtClose  (356, ... ) == 0x0
 02726   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02727   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1235696, 616, BothDirectory, 1,  (356, 0, 0, 0, 1235696, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02728   896   NtClose  (356, ... ) == 0x0
 02729   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02730   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1235696, 616, BothDirectory, 1,  (356, 0, 0, 0, 1235696, 616, BothDirectory, 1, "spools.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 02731   896   NtClose  (356, ... ) == 0x0
 02732   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02733   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02734   896   NtWaitForSingleObject  (340, 0, {-1000000, -1}, ... ) == 0x0
 02735   896   NtQueryVolumeInformationFile  (328, 1236924, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02736   896   NtQueryInformationFile  (328, 1236904, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02737   896   NtQueryInformationFile  (328, 1236944, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02738   896   NtReleaseMutant  (340, ... 0x0, ) == 0x0
 02739   896   NtUnmapViewOfSection  (-1, 0x1470000, ... ) == 0x0
 02740   896   NtClose  (352, ... ) == 0x0
 02741   896   NtClose  (348, ... ) == 0x0
 02742   896   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02743   896   NtOpenProcessToken  (-1, 0xa, ... 348, ) == 0x0
 02744   896   NtQueryInformationToken  (348, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02745   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02746   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 352, ) }, ... 352, ) == 0x0
 02747   896   NtQueryValueKey  (352,  (352, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (352, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02748   896   NtQueryValueKey  (352,  (352, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (352, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02749   896   NtClose  (352, ... ) == 0x0
 02750   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02751   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 352, ) }, ... 352, ) == 0x0
 02752   896   NtQueryValueKey  (352,  (352, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02753   896   NtClose  (352, ... ) == 0x0
 02754   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02755   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02756   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02757   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02758   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02759   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02760   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02761   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02762   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02763   896   NtQueryDefaultLocale  (1, 1238116, ... ) == 0x0
 02764   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 352, ) }, ... 352, ) == 0x0
 02765   896   NtEnumerateKey  (352, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (352, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02766   896   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 356, ) }, ... 356, ) == 0x0
 02767   896   NtQueryValueKey  (356,  (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02768   896   NtQueryValueKey  (356,  (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02769   896   NtClose  (356, ... ) == 0x0
 02770   896   NtEnumerateKey  (352, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02771   896   NtClose  (352, ... ) == 0x0
 02772   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 352, ) }, ... 352, ) == 0x0
 02773   896   NtEnumerateKey  (352, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (352, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02774   896   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 356, ) }, ... 356, ) == 0x0
 02775   896   NtQueryValueKey  (356,  (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02776   896   NtQueryValueKey  (356,  (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02777   896   NtQueryValueKey  (356,  (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02778   896   NtQueryValueKey  (356,  (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02779   896   NtClose  (356, ... ) == 0x0
 02780   896   NtEnumerateKey  (352, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (352, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02781   896   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 356, ) }, ... 356, ) == 0x0
 02782   896   NtQueryValueKey  (356,  (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02783   896   NtQueryValueKey  (356,  (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02784   896   NtQueryValueKey  (356,  (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02785   896   NtQueryValueKey  (356,  (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02786   896   NtClose  (356, ... ) == 0x0
 02787   896   NtEnumerateKey  (352, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (352, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02788   896   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 356, ) }, ... 356, ) == 0x0
 02789   896   NtQueryValueKey  (356,  (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02790   896   NtQueryValueKey  (356,  (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02791   896   NtQueryValueKey  (356,  (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02792   896   NtQueryValueKey  (356,  (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02793   896   NtClose  (356, ... ) == 0x0
 02794   896   NtEnumerateKey  (352, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (352, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02795   896   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 356, ) }, ... 356, ) == 0x0
 02796   896   NtQueryValueKey  (356,  (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02797   896   NtQueryValueKey  (356,  (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02798   896   NtQueryValueKey  (356,  (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02799   896   NtQueryValueKey  (356,  (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02800   896   NtClose  (356, ... ) == 0x0
 02801   896   NtEnumerateKey  (352, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (352, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02802   896   NtOpenKey  (0x20019, {24, 352, 0x40, 0, 0,  (0x20019, {24, 352, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 356, ) }, ... 356, ) == 0x0
 02803   896   NtQueryValueKey  (356,  (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (356, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02804   896   NtQueryValueKey  (356,  (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02805   896   NtQueryValueKey  (356,  (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (356, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02806   896   NtQueryValueKey  (356,  (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (356, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02807   896   NtClose  (356, ... ) == 0x0
 02808   896   NtEnumerateKey  (352, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02809   896   NtClose  (352, ... ) == 0x0
 02810   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02812   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02813   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02814   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02815   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02816   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02817   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02818   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02819   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02821   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02822   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02823   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02824   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02825   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02826   896   NtClose  (352, ... ) == 0x0
 02827   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02828   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02829   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02830   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02831   896   NtClose  (352, ... ) == 0x0
 02832   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02833   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02834   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02835   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02836   896   NtClose  (352, ... ) == 0x0
 02837   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02838   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02839   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02840   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02841   896   NtClose  (352, ... ) == 0x0
 02842   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02843   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02844   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02845   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02846   896   NtClose  (352, ... ) == 0x0
 02847   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02848   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02849   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02850   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02851   896   NtClose  (352, ... ) == 0x0
 02852   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02853   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02854   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02855   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02856   896   NtClose  (352, ... ) == 0x0
 02857   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02858   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02859   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02860   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02861   896   NtClose  (352, ... ) == 0x0
 02862   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02863   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02864   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02865   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02866   896   NtClose  (352, ... ) == 0x0
 02867   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02868   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02869   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02870   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02871   896   NtClose  (352, ... ) == 0x0
 02872   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02873   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02874   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02875   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02876   896   NtClose  (352, ... ) == 0x0
 02877   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02878   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02879   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02880   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02881   896   NtClose  (352, ... ) == 0x0
 02882   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02884   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02885   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02886   896   NtClose  (352, ... ) == 0x0
 02887   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02888   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02889   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02890   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02891   896   NtClose  (352, ... ) == 0x0
 02892   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02893   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02894   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02895   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02896   896   NtClose  (352, ... ) == 0x0
 02897   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 352, ) }, ... 352, ) == 0x0
 02899   896   NtQueryValueKey  (352,  (352, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (352, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (352, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02900   896   NtClose  (352, ... ) == 0x0
 02901   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02902   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 352, ) == 0x0
 02903   896   NtQueryInformationToken  (352, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02904   896   NtClose  (352, ... ) == 0x0
 02905   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02906   896   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02907   896   NtOpenProcessToken  (-1, 0xa, ... 352, ) == 0x0
 02908   896   NtDuplicateToken  (352, 0xc, {24, 0, 0x0, 0, 1238548, 0x0}, 0, 2, ... 356, ) == 0x0
 02909   896   NtClose  (352, ... ) == 0x0
 02910   896   NtAccessCheck  (1400016, 356, 0x1, 1238624, 1238676, 56, 1238656, ... (0x1), ) == 0x0
 02911   896   NtClose  (356, ... ) == 0x0
 02912   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 356, ) }, ... 356, ) == 0x0
 02913   896   NtQueryValueKey  (356,  (356, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (356, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02914   896   NtClose  (356, ... ) == 0x0
 02915   896   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 356, ) }, ... 356, ) == 0x0
 02916   896   NtQuerySymbolicLinkObject  (356, ...  (356, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02917   896   NtClose  (356, ... ) == 0x0
 02918   896   NtQueryVolumeInformationFile  (328, 1236380, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02919   896   NtQueryInformationFile  (328, 1236496, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 02920   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02921   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02922   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe"}, 1235668, ... ) }, 1235668, ... ) == 0x0
 02923   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02924   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1235096, 616, BothDirectory, 1,  (356, 0, 0, 0, 1235096, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02925   896   NtClose  (356, ... ) == 0x0
 02926   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02927   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1235096, 616, BothDirectory, 1,  (356, 0, 0, 0, 1235096, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02928   896   NtClose  (356, ... ) == 0x0
 02929   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 02930   896   NtQueryDirectoryFile  (356, 0, 0, 0, 1235096, 616, BothDirectory, 1,  (356, 0, 0, 0, 1235096, 616, BothDirectory, 1, "spools.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 02931   896   NtClose  (356, ... ) == 0x0
 02932   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02933   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02934   896   NtQueryInformationFile  (328, 1238536, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02935   896   NtCreateSection  (0xf0005, 0x0, {235520, 0}, 2, 134217728, 328, ... 356, ) == 0x0
 02936   896   NtMapViewOfSection  (356, -1, (0x0), 0, 0, {0, 0}, 235520, 1, 0, 2, ... (0x1470000), {0, 0}, 237568, ) == 0x0
 02937   896   NtClose  (356, ... ) == 0x0
 02938   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02939   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 356, ) == 0x0
 02940   896   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02941   896   NtClose  (356, ... ) == 0x0
 02942   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 356, ) }, ... 356, ) == 0x0
 02943   896   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 352, ) }, ... 352, ) == 0x0
 02944   896   NtClose  (356, ... ) == 0x0
 02945   896   NtQueryValueKey  (352,  (352, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02946   896   NtQueryValueKey  (352,  (352, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (352, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02947   896   NtClose  (352, ... ) == 0x0
 02948   896   NtUnmapViewOfSection  (-1, 0x1470000, ... ) == 0x0
 02949   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 21430272, 4096, ) == 0x0
 02950   896   NtAllocateVirtualMemory  (-1, 21430272, 0, 4096, 4096, 4, ... 21430272, 4096, ) == 0x0
 02951   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 352, ) }, ... 352, ) == 0x0
 02952   896   NtQueryValueKey  (352,  (352, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02953   896   NtClose  (352, ... ) == 0x0
 02954   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02955   896   NtQueryInformationToken  (348, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02956   896   NtQueryInformationToken  (348, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02957   896   NtClose  (348, ... ) == 0x0
 02958   896   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02959   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spools.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02960   896   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02961   896   NtCreateProcessEx  (1240460, 2035711, 0, -1, 4, 336, 0, 0, 0, ... ) == 0x0
 02962   896   NtSetInformationProcess  (348, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 02963   896   NtQueryInformationProcess  (348, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd8000,AffinityMask=0x1,BasePriority=8,Pid=220,ParentPid=1252,}, 0x0, ) == 0x0
 02964   896   NtReadVirtualMemory  (348, 0x7ffd8008, 4, ...  (348, 0x7ffd8008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02965   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spools.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02966   896   NtAllocateVirtualMemory  (-1, 1400832, 0, 8192, 4096, 4, ... 1400832, 8192, ) == 0x0
 02967   896   NtReadVirtualMemory  (348, 0x400000, 4096, ...  (348, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\324\341\7D\265\217TD\265\217TD\265\217T?\251\203TF\265\217T\307\251\201T]\265\217T\254\252\205T8\265\217TD\265\216T\310\265\217T&\252\234TC\265\217T\254\252\204T\16\265\217TRichD\265\217T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\343\356\374G\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\0\0\0\0\220\3\0\0\360\17\0-\2\20\0\0\20\0\0\0\0\20\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\23\0\0\4\0\0\206q\4\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\330\0\20\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3349\16\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0.nsp0\0\0\0\0\360\17\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02968   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02969   896   NtQueryInformationProcess  (348, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd8000,AffinityMask=0x1,BasePriority=8,Pid=220,ParentPid=1252,}, 0x0, ) == 0x0
 02970   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1239412, ... ) }, 1239412, ... ) == 0x0
 02971   896   NtAllocateVirtualMemory  (-1, 0, 0, 2408, 4096, 4, ... 21495808, 4096, ) == 0x0
 02972   896   NtAllocateVirtualMemory  (348, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02973   896   NtWriteVirtualMemory  (348, 0x10000,  (348, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02974   896   NtAllocateVirtualMemory  (348, 0, 0, 2408, 4096, 4, ... 131072, 4096, ) == 0x0
 02975   896   NtWriteVirtualMemory  (348, 0x20000,  (348, 0x20000, "\0\20\0\0h\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0<\0>\0\220\10\0\0n\0p\0\320\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0@\11\0\0\36\0 \0D\11\0\0\0\0\2\0d\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2408, ... 0x0, ) , 2408, ... 0x0, ) == 0x0
 02976   896   NtWriteVirtualMemory  (348, 0x7ffd8010,  (348, 0x7ffd8010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02977   896   NtWriteVirtualMemory  (348, 0x7ffd81e8,  (348, 0x7ffd81e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02978   896   NtFreeVirtualMemory  (-1, (0x1480000), 0, 32768, ... (0x1480000), 4096, ) == 0x0
 02979   896   NtAllocateVirtualMemory  (348, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02980   896   NtAllocateVirtualMemory  (348, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02981   896   NtProtectVirtualMemory  (348, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02982   896   NtCreateThread  (0x1f03ff, 0x0, 348, 1240468, 1240132, 1, ... 352, {220, 1328}, ) == 0x0
 02983   896   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 0, 0, 2088821759}  (24, {168, 196, new_msg, 0, 0, 0, 0, 2088821759} "\0\0\0\0\0\0\1\0\11\344\200|\334\343\200|_\1\0\0`\1\0\0\334\0\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\375\177\5\20\220|" ... {168, 196, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\334\343\200|\\1\0\0`\1\0\0\334\0\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\375\177\5\20\220|" )  ... {168, 196, reply, 0, 1252, 896, 81848, 0}  (24, {168, 196, new_msg, 0, 0, 0, 0, 2088821759} "\0\0\0\0\0\0\1\0\11\344\200|\334\343\200|_\1\0\0`\1\0\0\334\0\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\375\177\5\20\220|" ... {168, 196, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\334\343\200|\\1\0\0`\1\0\0\334\0\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\375\177\5\20\220|" )  ) == 0x0
 02984   896   NtResumeThread  (352, ... 1, ) == 0x0
 02985   896   NtClose  (328, ... ) == 0x0
 02986   896   NtClose  (336, ... ) == 0x0
 02987   896   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02988   896   NtClose  (348, ... ) == 0x0
 02989   896   NtClose  (352, ... ) == 0x0
 02990   896   NtTerminateProcess  (0, 0, ...
 01422  2016   NtWaitForMultipleObjects  ... ) == 0xc0
 02990   896   NtTerminateProcess  ... ) == 0x0
 02991   896   NtClose  (320, ... ) == 0x0
 02992   896   NtClose  (308, ... ) == 0x0
 02993   896   NtClose  (312, ... ) == 0x0
 02994   896   NtClose  (316, ... ) == 0x0
 02995   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 02996   896   NtFreeVirtualMemory  (-1, (0x1090000), 0, 32768, ... (0x1090000), 65536, ) == 0x0
 02997   896   NtClose  (264, ... ) == 0x0
 02998   896   NtClose  (268, ... ) == 0x0
 02999   896   NtClose  (276, ... ) == 0x0
 03000   896   NtClose  (272, ... ) == 0x0
 03001   896   NtClose  (280, ... ) == 0x0
 03002   896   NtClose  (284, ... ) == 0x0
 03003   896   NtClose  (288, ... ) == 0x0
 03004   896   NtClose  (304, ... ) == 0x0
 03005   896   NtClose  (300, ... ) == 0x0
 03006   896   NtClose  (296, ... ) == 0x0
 03007   896   NtClose  (292, ... ) == 0x0
 03008   896   NtUserGetAtomName  (49211, 1241268, ... ) == 0xf
 03009   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03010   896   NtUserGetAtomName  (49213, 1241268, ... ) == 0xd
 03011   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03012   896   NtUserGetAtomName  (49215, 1241268, ... ) == 0x10
 03013   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03014   896   NtUserGetAtomName  (49217, 1241268, ... ) == 0x12
 03015   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03016   896   NtUserGetAtomName  (49219, 1241268, ... ) == 0xd
 03017   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03018   896   NtUserGetAtomName  (49221, 1241268, ... ) == 0xb
 03019   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03020   896   NtUserGetAtomName  (49223, 1241268, ... ) == 0xf
 03021   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03022   896   NtUserGetAtomName  (49225, 1241268, ... ) == 0xd
 03023   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03024   896   NtUserGetAtomName  (49227, 1241268, ... ) == 0x11
 03025   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03026   896   NtUserGetAtomName  (49229, 1241268, ... ) == 0xf
 03027   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03028   896   NtUserGetAtomName  (49231, 1241268, ... ) == 0x11
 03029   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03030   896   NtUserGetAtomName  (49233, 1241268, ... ) == 0xf
 03031   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03032   896   NtUserGetAtomName  (49235, 1241268, ... ) == 0xc
 03033   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03034   896   NtUserGetAtomName  (49237, 1241260, ... ) == 0xd
 03035   896   NtUserUnregisterClass  (1241320, 1560870912, 1241308, ... ) == 0x1
 03036   896   NtUserGetAtomName  (49239, 1241260, ... ) == 0x11
 03037   896   NtUserUnregisterClass  (1241320, 1560870912, 1241308, ... ) == 0x1
 03038   896   NtUserGetAtomName  (49241, 1241268, ... ) == 0xc
 03039   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03040   896   NtUserGetAtomName  (49243, 1241268, ... ) == 0xe
 03041   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03042   896   NtUserGetAtomName  (49245, 1241268, ... ) == 0x8
 03043   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03044   896   NtUserGetAtomName  (49247, 1241268, ... ) == 0xd
 03045   896   NtUserUnregisterClass  (1241328, 1560870912, 1241316, ... ) == 0x1
 03046   896   NtUnmapViewOfSection  (-1, 0x1100000, ... ) == 0x0
 03047   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 03048   896   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 03049   896   NtClose  (208, ... ) == 0x0
 03050   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 03051   896   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 03052   896   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 03053   896   NtUnmapViewOfSection  (-1, 0x1030000, ... ) == 0x0
 03054   896   NtClose  (204, ... ) == 0x0
 03055   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03056   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03057   896   NtClose  (180, ... ) == 0x0
 03058   896   NtClose  (176, ... ) == 0x0
 03059   896   NtClose  (184, ... ) == 0x0
 03060   896   NtUserGetAtomName  (49211, 1241300, ... ) == 0xf
 03061   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03062   896   NtUserGetAtomName  (49213, 1241300, ... ) == 0xd
 03063   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03064   896   NtUserGetAtomName  (49215, 1241300, ... ) == 0x10
 03065   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03066   896   NtUserGetAtomName  (49217, 1241300, ... ) == 0x12
 03067   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03068   896   NtUserGetAtomName  (49219, 1241300, ... ) == 0xd
 03069   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03070   896   NtUserGetAtomName  (49221, 1241300, ... ) == 0xb
 03071   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03072   896   NtUserGetAtomName  (49223, 1241300, ... ) == 0xf
 03073   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03074   896   NtUserGetAtomName  (49225, 1241300, ... ) == 0xd
 03075   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03076   896   NtUserGetAtomName  (49227, 1241300, ... ) == 0x11
 03077   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03078   896   NtUserGetAtomName  (49229, 1241300, ... ) == 0xf
 03079   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03080   896   NtUserGetAtomName  (49231, 1241300, ... ) == 0x11
 03081   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03082   896   NtUserGetAtomName  (49233, 1241300, ... ) == 0xf
 03083   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03084   896   NtUserGetAtomName  (49235, 1241300, ... ) == 0xc
 03085   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03086   896   NtUserGetAtomName  (49237, 1241292, ... ) == 0xd
 03087   896   NtUserUnregisterClass  (1241352, 2000486400, 1241340, ... ) == 0x1
 03088   896   NtUserGetAtomName  (49239, 1241292, ... ) == 0x11
 03089   896   NtUserUnregisterClass  (1241352, 2000486400, 1241340, ... ) == 0x1
 03090   896   NtUserGetAtomName  (49241, 1241300, ... ) == 0xc
 03091   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03092   896   NtUserGetAtomName  (49243, 1241300, ... ) == 0xe
 03093   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03094   896   NtUserGetAtomName  (49245, 1241300, ... ) == 0x8
 03095   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03096   896   NtUserGetAtomName  (49247, 1241300, ... ) == 0xd
 03097   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03098   896   NtUserGetAtomName  (49175, 1241300, ... ) == 0x6
 03099   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03100   896   NtUserGetAtomName  (49177, 1241300, ... ) == 0x6
 03101   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03102   896   NtUserGetAtomName  (49176, 1241300, ... ) == 0x4
 03103   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03104   896   NtUserGetAtomName  (49178, 1241300, ... ) == 0x7
 03105   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03106   896   NtUserGetAtomName  (49180, 1241300, ... ) == 0x8
 03107   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03108   896   NtUserGetAtomName  (49182, 1241300, ... ) == 0x9
 03109   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03110   896   NtUserGetAtomName  (49179, 1241292, ... ) == 0x9
 03111   896   NtUserUnregisterClass  (1241352, 2000486400, 1241340, ... ) == 0x1
 03112   896   NtUserGetAtomName  (49256, 1241300, ... ) == 0x7
 03113   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03114   896   NtUserGetAtomName  (49258, 1241300, ... ) == 0xd
 03115   896   NtUserUnregisterClass  (1241360, 2000486400, 1241348, ... ) == 0x1
 03116   896   NtUnmapViewOfSection  (-1, 0x1040000, ... ) == 0x0
 03117   896   NtDeviceIoControlFile  (116, 120, 0x0, 0x12f1f8, 0x22415c,  (116, 120, 0x0, 0x12f1f8, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#|\0\0\0\0\0\0\0\10 \342\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#|\0\0\0\0\0\0\0\10 \342\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (116, 120, 0x0, 0x12f1f8, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#|\0\0\0\0\0\0\0\10 \342\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#|\0\0\0\0\0\0\0\10 \342\0\306\205\337w", ) , ) == 0x0
 03118   896   NtDeviceIoControlFile  (116, 120, 0x0, 0x12f1c0, 0x228168,  (116, 120, 0x0, 0x12f1c0, 0x228168, "|\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03119   896   NtDeviceIoControlFile  (116, 120, 0x0, 0x12f1f8, 0x22415c,  (116, 120, 0x0, 0x12f1f8, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\224\0\0\0\0\0\0\0\10 \342\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\224\0\0\0\0\0\0\0\10 \342\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (116, 120, 0x0, 0x12f1f8, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\224\0\0\0\0\0\0\0\10 \342\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\224\0\0\0\0\0\0\0\10 \342\0\306\205\337w", ) , ) == 0x0
 03120   896   NtDeviceIoControlFile  (116, 120, 0x0, 0x12f1c0, 0x228168,  (116, 120, 0x0, 0x12f1c0, 0x228168, "\224\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03121   896   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03122   896   NtClearEvent  (240, ... ) == 0x0
 03123   896   NtSetEvent  (240, ... 0x0, ) == 0x0
 03124   896   NtClose  (240, ... ) == 0x0
 03125   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 03126   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03127   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03128   896   NtClose  (112, ... ) == 0x0
 03129   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 03130   896   NtUnmapViewOfSection  (-1, 0xae0000, ... ) == 0x0
 03131   896   NtClose  (80, ... ) == 0x0
 03132   896   NtGdiDeleteObjectApp  (-1190131992, ... ) == 0x1
 03133   896   NtUserGetProcessWindowStation  (... ) == 0x1c
 03134   896   NtUserBuildNameList  (28, 522, 1333648, 1241544, ... ) == 0x0
 03135   896   NtUserGetProcessWindowStation  (... ) == 0x1c
 03136   896   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x50
 03137   896   NtUserBuildHwndList  (80, 0, 0, 0, 64, ... (0x10070, 0x1a00f4, 0x5009e, 0x400fa, 0x10080, 0x10074, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x1401b6, 0xc01d2, 0xd0102, 0xd011a, 0x100d0, 0x200b0, 0x100cc, 0xf0104, 0x1500a4, 0x7012e, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 57, ) == 0x0
 03138   896   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 03139   896   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 03140   896   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 03141   896   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 03142   896   NtUserValidateHandleSecure  (1704180, ... ) == 0x1
 03143   896   NtUserQueryWindow  (1704180, 0, ... ) == 0x6b8
 03144   896   NtUserQueryWindow  (1704180, 1, ... ) == 0x6d4
 03145   896   NtUserValidateHandleSecure  (1704180, ... ) == 0x1
 03146   896   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 03147   896   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 03148   896   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 03149   896   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 03150   896   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 03151   896   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 03152   896   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 03153   896   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 03154   896   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 03155   896   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 03156   896   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 03157   896   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 03158   896   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 03159   896   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 03160   896   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 03161   896   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 03162   896   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 03163   896   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 03164   896   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 03165   896   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 03166   896   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 03167   896   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 03168   896   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 03169   896   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 03170   896   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 03171   896   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 03172   896   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 03173   896   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 03174   896   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 03175   896   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 03176   896   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 03177   896   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 03178   896   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 03179   896   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 03180   896   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 03181   896   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 03182   896   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 03183   896   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 03184   896   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 03185   896   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 03186   896   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 03187   896   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 03188   896   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 03189   896   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 03190   896   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 03191   896   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 03192   896   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 03193   896   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 03194   896   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 03195   896   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 03196   896   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 03197   896   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 03198   896   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 03199   896   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 03200   896   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 03201   896   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 03202   896   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 03203   896   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 03204   896   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 03205   896   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 03206   896   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 03207   896   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 03208   896   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 03209   896   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 03210   896   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 03211   896   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 03212   896   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 03213   896   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 03214   896   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 03215   896   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 03216   896   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 03217   896   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 03218   896   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 03219   896   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 03220   896   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 03221   896   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 03222   896   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 03223   896   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 03224   896   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 03225   896   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 03226   896   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 03227   896   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 03228   896   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 03229   896   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 03230   896   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 03231   896   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 03232   896   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 03233   896   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 03234   896   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 03235   896   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 03236   896   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 03237   896   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 03238   896   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 03239   896   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 03240   896   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 03241   896   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 03242   896   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 03243   896   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 03244   896   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 03245   896   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 03246   896   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 03247   896   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 03248   896   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 03249   896   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 03250   896   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 03251   896   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 03252   896   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 03253   896   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 03254   896   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 03255   896   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 03256   896   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 03257   896   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 03258   896   NtUserValidateHandleSecure  (1311158, ... ) == 0x1
 03259   896   NtUserQueryWindow  (1311158, 0, ... ) == 0x6b8
 03260   896   NtUserQueryWindow  (1311158, 1, ... ) == 0x6d4
 03261   896   NtUserValidateHandleSecure  (1311158, ... ) == 0x1
 03262   896   NtUserBuildHwndList  (0, 1311158, 1, 0, 64, ... (0xf0192, 0x80198, 0x1, ), 3, ) == 0x0
 03263   896   NtUserValidateHandleSecure  (983442, ... ) == 0x1
 03264   896   NtUserQueryWindow  (983442, 0, ... ) == 0x6b8
 03265   896   NtUserQueryWindow  (983442, 1, ... ) == 0x6d4
 03266   896   NtUserValidateHandleSecure  (524696, ... ) == 0x1
 03267   896   NtUserQueryWindow  (524696, 0, ... ) == 0x6b8
 03268   896   NtUserQueryWindow  (524696, 1, ... ) == 0x6d4
 03269   896   NtUserValidateHandleSecure  (786898, ... ) == 0x1
 03270   896   NtUserQueryWindow  (786898, 0, ... ) == 0x6b8
 03271   896   NtUserQueryWindow  (786898, 1, ... ) == 0x6d4
 03272   896   NtUserValidateHandleSecure  (786898, ... ) == 0x1
 03273   896   NtUserValidateHandleSecure  (852226, ... ) == 0x1
 03274   896   NtUserQueryWindow  (852226, 0, ... ) == 0x6b8
 03275   896   NtUserQueryWindow  (852226, 1, ... ) == 0x6d4
 03276   896   NtUserValidateHandleSecure  (852226, ... ) == 0x1
 03277   896   NtUserBuildHwndList  (0, 852226, 1, 0, 64, ... (0x700fc, 0xc0114, 0x1, ), 3, ) == 0x0
 03278   896   NtUserValidateHandleSecure  (459004, ... ) == 0x1
 03279   896   NtUserQueryWindow  (459004, 0, ... ) == 0x6b8
 03280   896   NtUserQueryWindow  (459004, 1, ... ) == 0x6d4
 03281   896   NtUserValidateHandleSecure  (786708, ... ) == 0x1
 03282   896   NtUserQueryWindow  (786708, 0, ... ) == 0x6b8
 03283   896   NtUserQueryWindow  (786708, 1, ... ) == 0x6d4
 03284   896   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 03285   896   NtUserQueryWindow  (852250, 0, ... ) == 0x6b8
 03286   896   NtUserQueryWindow  (852250, 1, ... ) == 0x6d4
 03287   896   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 03288   896   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 03289   896   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 03290   896   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 03291   896   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 03292   896   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 03293   896   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 03294   896   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 03295   896   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 03296   896   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 03297   896   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 03298   896   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 03299   896   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 03300   896   NtUserValidateHandleSecure  (983300, ... ) == 0x1
 03301   896   NtUserQueryWindow  (983300, 0, ... ) == 0x2fc
 03302   896   NtUserQueryWindow  (983300, 1, ... ) == 0x544
 03303   896   NtUserValidateHandleSecure  (983300, ... ) == 0x1
 03304   896   NtUserValidateHandleSecure  (1376420, ... ) == 0x1
 03305   896   NtUserQueryWindow  (1376420, 0, ... ) == 0x1e8
 03306   896   NtUserQueryWindow  (1376420, 1, ... ) == 0x708
 03307   896   NtUserValidateHandleSecure  (1376420, ... ) == 0x1
 03308   896   NtUserValidateHandleSecure  (459054, ... ) == 0x1
 03309   896   NtUserQueryWindow  (459054, 0, ... ) == 0x4b8
 03310   896   NtUserQueryWindow  (459054, 1, ... ) == 0x3dc
 03311   896   NtUserValidateHandleSecure  (459054, ... ) == 0x1
 03312   896   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 03313   896   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 03314   896   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 03315   896   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 03316   896   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 03317   896   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 03318   896   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 03319   896   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 03320   896   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 03321   896   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 03322   896   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 03323   896   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 03324   896   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 03325   896   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 03326   896   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 03327   896   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 03328   896   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 03329   896   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 03330   896   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 03331   896   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 03332   896   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 03333   896   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 03334   896   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 03335   896   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 03336   896   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 03337   896   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 03338   896   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 03339   896   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 03340   896   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 03341   896   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 03342   896   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 03343   896   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 03344   896   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 03345   896   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 03346   896   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 03347   896   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 03348   896   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 03349   896   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 03350   896   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 03351   896   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 03352   896   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 03353   896   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 03354   896   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 03355   896   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 03356   896   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 03357   896   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 03358   896   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 03359   896   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 03360   896   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 03361   896   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 03362   896   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 03363   896   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 03364   896   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 03365   896   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 03366   896   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 03367   896   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 03368   896   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 03369   896   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 03370   896   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 03371   896   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 03372   896   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 03373   896   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 03374   896   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 03375   896   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 03376   896   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 03377   896   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 03378   896   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 03379   896   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 03380   896   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 03381   896   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 03382   896   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 03383   896   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 03384   896   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 03385   896   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 03386   896   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 03387   896   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 03388   896   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 03389   896   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 03390   896   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 03391   896   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 03392   896   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 03393   896   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 03394   896   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 03395   896   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 03396   896   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 03397   896   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 03398   896   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 03399   896   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 03400   896   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 03401   896   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 03402   896   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 03403   896   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 03404   896   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 03405   896   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 03406   896   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 03407   896   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 03408   896   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 03409   896   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 03410   896   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 03411   896   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 03412   896   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 03413   896   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 03414   896   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 03415   896   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 03416   896   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 03417   896   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 03418   896   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 03419   896   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 03420   896   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 03421   896   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 03422   896   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 03423   896   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 03424   896   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 03425   896   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 03426   896   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 03427   896   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 03428   896   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 03429   896   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 03430   896   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 03431   896   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 03432   896   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 03433   896   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 03434   896   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 03435   896   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 03436   896   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 03437   896   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 03438   896   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 03439   896   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 03440   896   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 03441   896   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 03442   896   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 03443   896   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 03444   896   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 03445   896   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 03446   896   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 03447   896   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 03448   896   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03449   896   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 03450   896   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 03451   896   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03452   896   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03453   896   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 03454   896   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 03455   896   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03456   896   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03457   896   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 03458   896   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 03459   896   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03460   896   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03461   896   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 03462   896   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 03463   896   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03464   896   NtUserCloseDesktop  (80, ... ) == 0x1
 03465   896   NtUserGetProcessWindowStation  (... ) == 0x1c
 03466   896   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03467   896   NtUserGetProcessWindowStation  (... ) == 0x1c
 03468   896   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03469   896   NtGdiDeleteObjectApp  (1678378390, ... ) == 0x1
 03470   896   NtGdiDeleteObjectApp  (1946813918, ... ) == 0x1
 03471   896   NtClose  (72, ... ) == 0x0
 03472   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03473   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03474   896   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03475   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 03476   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 03477   896   NtQueryVirtualMemory  (-1, 0x42456c, Basic, 28, ... {BaseAddress=0x424000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xdd000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 03478   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 72, ) }, ... 72, ) == 0x0
 03479   896   NtQueryValueKey  (72,  (72, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03480   896   NtClose  (72, ... ) == 0x0
 03481   896   NtClose  (64, ... ) == 0x0
 03482   896   NtClose  (116, ... ) == 0x0
 03483   896   NtFreeVirtualMemory  (-1, (0x1470000), 4096, 32768, ... (0x1470000), 4096, ) == 0x0
 03484   896   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1392360, 0, 0}  (24, {20, 48, new_msg, 0, 0, 1392360, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 1252, 896, 81868, 0}  (24, {20, 48, new_msg, 0, 0, 1392360, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03485   896   NtTerminateProcess  (-1, 0, ...
NtAddAtom(>)	1	NtFsControlFile(>)	2	NtGdiGetStockObject(>)	5	NtQueryInformationFile(>)	21
NtCallbackReturn(>)	1	NtGdiCreateSolidBrush(>)	2	NtUserGetProcessWindowStation(>)	5	NtCreateEvent(>)	23
NtCreateMutant(>)	1	NtGdiHfontCreate(>)	2	NtOpenThreadToken(>)	6	NtQueryInformationProcess(>)	23
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtSetEvent(>)	7	NtQueryDirectoryFile(>)	24
NtDelayExecution(>)	1	NtOpenEvent(>)	2	NtSetValueKey(>)	7	NtCreateFile(>)	28
NtEnumerateValueKey(>)	1	NtOpenProcess(>)	2	NtUserBuildHwndList(>)	7	NtOpenProcessTokenEx(>)	33
NtGdiCreateBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtOpenMutant(>)	8	NtOpenThreadTokenEx(>)	33
NtGdiCreatePatternBrushInternal(>)	1	NtQuerySymbolicLinkObject(>)	2	NtOpenProcessToken(>)	9	NtOpenSection(>)	40
NtGdiInit(>)	1	NtReadVirtualMemory(>)	2	NtSetInformationProcess(>)	9	NtQueryInformationToken(>)	40
NtGdiQueryFontAssocInfo(>)	1	NtRegisterThreadTerminatePort(>)	2	NtUserCallNoParam(>)	9	NtQuerySystemInformation(>)	41
NtGdiSelectBitmap(>)	1	NtResumeThread(>)	2	NtCreateKey(>)	10	NtUserGetAtomName(>)	47
NtOpenKeyedEvent(>)	1	NtSetEventBoostPriority(>)	2	NtQueryDefaultUILanguage(>)	10	NtUserUnregisterClass(>)	47
NtQueryEvent(>)	1	NtTestAlert(>)	2	NtReleaseMutant(>)	10	NtUserFindExistingCursorIcon(>)	50
NtQueryInformationJobObject(>)	1	NtClearEvent(>)	3	NtUserGetWindowDC(>)	10	NtFreeVirtualMemory(>)	56
NtQueryInformationThread(>)	1	NtContinue(>)	3	NtCreateSemaphore(>)	11	NtQueryVirtualMemory(>)	57
NtQueryInstallUILanguage(>)	1	NtDuplicateObject(>)	3	NtEnumerateKey(>)	12	NtMapViewOfSection(>)	60
NtQueryObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserCallOneParam(>)	12	NtUserRegisterClassExWOW(>)	61
NtQueryTimerResolution(>)	1	NtGdiDeleteObjectApp(>)	3	NtUserSystemParametersInfo(>)	12	NtOpenFile(>)	64
NtReadFile(>)	1	NtNotifyChangeKey(>)	3	NtSetInformationThread(>)	13	NtQueryAttributesFile(>)	76
NtSecureConnectPort(>)	1	NtQueryPerformanceCounter(>)	3	NtQueryVolumeInformationFile(>)	15	NtCreateSection(>)	82
NtUserBuildNameList(>)	1	NtReleaseSemaphore(>)	3	NtRequestWaitReplyPort(>)	15	NtFlushInstructionCache(>)	136
NtUserCloseDesktop(>)	1	NtTerminateProcess(>)	3	NtQueryDebugFilterState(>)	17	NtUserValidateHandleSecure(>)	144
NtUserGetDC(>)	1	NtUserOpenDesktop(>)	3	NtSetInformationFile(>)	17	NtUserQueryWindow(>)	178
NtUserGetGUIThreadInfo(>)	1	NtWaitForMultipleObjects(>)	3	NtQuerySection(>)	18	NtAllocateVirtualMemory(>)	203
NtUserGetObjectInformation(>)	1	NtQueryKey(>)	4	NtUnmapViewOfSection(>)	18	NtProtectVirtualMemory(>)	278
NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtDeviceIoControlFile(>)	19	NtOpenKey(>)	311
NtConnectPort(>)	2	NtWriteFile(>)	4	NtQueryDefaultLocale(>)	19	NtQueryValueKey(>)	423
NtCreateThread(>)	2	NtWriteVirtualMemory(>)	4	NtUserRegisterWindowMessage(>)	20	NtClose(>)	466
NtDuplicateToken(>)	2	NtAccessCheck(>)	5	NtWaitForSingleObject(>)	20