Summary:


NtCallbackReturn(>)  1 
NtUserBuildNameList(>)  1 
NtOpenProcessToken(>)  3 
NtUserCallNoParam(>)  9 

NtConnectPort(>)  1 
NtUserGetGUIThreadInfo(>)  1 
NtQueryInformationFile(>)  3 
NtUserFindExistingCursorIcon(>)  9 

NtCreateFile(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserOpenDesktop(>)  3 
NtUserGetWindowDC(>)  10 

NtDeviceIoControlFile(>)  1 
NtUserRegisterWindowMessage(>)  1 
NtFlushInstructionCache(>)  4 
NtOpenFile(>)  11 

NtFsControlFile(>)  1 
NtUserSystemParametersInfo(>)  1 
NtQueryKey(>)  4 
NtUserCallOneParam(>)  11 

NtGdiCreateBitmap(>)  1 
NtDuplicateObject(>)  2 
NtSetInformationObject(>)  4 
NtQueryInformationToken(>)  12 

NtGdiCreatePatternBrushInternal(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtCreateKey(>)  5 
NtUserRegisterClassExWOW(>)  15 

NtGdiInit(>)  1 
NtGdiHfontCreate(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryAttributesFile(>)  18 

NtGdiQueryFontAssocInfo(>)  1 
NtNotifyChangeKey(>)  2 
NtQuerySection(>)  5 
NtQuerySystemInformation(>)  18 

NtGdiSelectBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtSetInformationThread(>)  5 
NtOpenSection(>)  19 

NtOpenEvent(>)  1 
NtQueryDefaultLocale(>)  2 
NtUserBuildHwndList(>)  5 
NtContinue(>)  20 

NtOpenKeyedEvent(>)  1 
NtQueryInformationProcess(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtMapViewOfSection(>)  21 

NtOpenMutant(>)  1 
NtQueryVirtualMemory(>)  2 
NtCreateSection(>)  6 
NtWaitForSingleObject(>)  21 

NtOpenSymbolicLinkObject(>)  1 
NtTerminateProcess(>)  2 
NtSetValueKey(>)  6 
NtFreeVirtualMemory(>)  25 

NtQueryObject(>)  1 
NtUnmapViewOfSection(>)  2 
NtQueryVolumeInformationFile(>)  7 
NtReleaseMutant(>)  38 

NtQueryPerformanceCounter(>)  1 
NtUserCloseDesktop(>)  2 
NtRequestWaitReplyPort(>)  7 
NtOpenKey(>)  57 

NtQuerySymbolicLinkObject(>)  1 
NtUserGetObjectInformation(>)  2 
NtOpenProcessTokenEx(>)  8 
NtClose(>)  86 

NtRegisterThreadTerminatePort(>)  1 
NtCreateEvent(>)  3 
NtOpenThreadTokenEx(>)  8 
NtAllocateVirtualMemory(>)  99 

NtSecureConnectPort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtProtectVirtualMemory(>)  8 
NtQueryValueKey(>)  99 

NtTestAlert(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtSetInformationFile(>)  8 
NtUserQueryWindow(>)  132 


Trace:
 00001   448   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   448   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   448   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   448   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   448   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   448   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   448   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   448   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   448   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   448   NtClose  (12, ... ) == 0x0
 00014   448   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   448   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   448   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   448   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   448   NtClose  (16, ... ) == 0x0
 00021   448   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   448   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   448   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   448   NtClose  (16, ... ) == 0x0
 00026   448   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   448   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   448   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   448   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 444, 448, 1533, 0} "\250\345\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 444, 448, 1533, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 444, 448, 1533, 0} "\250\345\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   448   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   448   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   448   NtClose  (16, ... ) == 0x0
 00036   448   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   448   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   448   NtClose  (28, ... ) == 0x0
 00041   448   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   448   NtClose  (28, ... ) == 0x0
 00045   448   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   448   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   448   NtClose  (28, ... ) == 0x0
 00049   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   448   NtClose  (28, ... ) == 0x0
 00052   448   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 444, 448, 1538, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 444, 448, 1538, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 444, 448, 1538, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 4, ... (0x409000), 118784, 128, ) == 0x0
 00057   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 128, ... (0x409000), 118784, 4, ) == 0x0
 00058   448   NtFlushInstructionCache  (-1, 4231168, 118784, ... ) == 0x0
 00059   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "advapi32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   448   NtClose  (28, ... ) == 0x0
 00062   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   448   NtClose  (28, ... ) == 0x0
 00065   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 4, ... (0x409000), 118784, 64, ) == 0x0
 00066   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 64, ... (0x409000), 118784, 4, ) == 0x0
 00067   448   NtFlushInstructionCache  (-1, 4231168, 118784, ... ) == 0x0
 00068   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00070   448   NtClose  (28, ... ) == 0x0
 00071   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00072   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00073   448   NtClose  (28, ... ) == 0x0
 00074   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00075   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00076   448   NtClose  (28, ... ) == 0x0
 00077   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   448   NtClose  (28, ... ) == 0x0
 00080   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00082   448   NtClose  (28, ... ) == 0x0
 00083   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 4, ... (0x409000), 118784, 64, ) == 0x0
 00084   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 64, ... (0x409000), 118784, 4, ) == 0x0
 00085   448   NtFlushInstructionCache  (-1, 4231168, 118784, ... ) == 0x0
 00086   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 4, ... (0x409000), 118784, 64, ) == 0x0
 00087   448   NtProtectVirtualMemory  (-1, (0x409000), 118784, 64, ... (0x409000), 118784, 4, ) == 0x0
 00088   448   NtFlushInstructionCache  (-1, 4231168, 118784, ... ) == 0x0
 00089   448   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00090   448   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00091   448   NtClose  (28, ... ) == 0x0
 00092   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00093   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00094   448   NtClose  (28, ... ) == 0x0
 00095   448   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00096   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00097   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00098   448   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00099   448   NtClose  (28, ... ) == 0x0
 00100   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00101   448   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   448   NtClose  (28, ... ) == 0x0
 00103   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00104   448   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00105   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00107   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00108   448   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00109   448   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00110   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00111   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00112   448   NtClose  (32, ... ) == 0x0
 00113   448   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00114   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00115   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 444, 448, 1569, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 444, 448, 1569, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 444, 448, 1569, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00116   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00118   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00119   448   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00120   448   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00121   448   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00122   448   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00123   448   NtClose  (-2147482020, ... ) == 0x0
 00124   448   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00125   448   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00126   448   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00127   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00128   448   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   448   NtClose  (-2147482020, ... ) == 0x0
 00130   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00131   448   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   448   NtClose  (-2147482020, ... ) == 0x0
 00133   448   NtQueryDefaultLocale  (0, -130840052, ... ) == 0x0
 00134   448   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00135   448   NtUserCallNoParam  (24, ... ) == 0x0
 00136   448   NtGdiCreateCompatibleDC  (0, ...
 00137   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00136   448   NtGdiCreateCompatibleDC  ... ) == 0x6501042c
 00138   448   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00139   448   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00140   448   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xe050449
 00141   448   NtGdiCreateSolidBrush  (0, 0, ...
 00142   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00141   448   NtGdiCreateSolidBrush  ... ) == 0xb100450
 00143   448   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00144   448   NtGdiCreateCompatibleDC  (0, ... ) == 0x8010453
 00145   448   NtGdiSelectBitmap  (134284371, 235209801, ... ) == 0x185000f
 00146   448   NtUserGetThreadDesktop  (448, 0, ... ) == 0x2c
 00147   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00148   448   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00149   448   NtClose  (52, ... ) == 0x0
 00150   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00151   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00152   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00153   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00154   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00155   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00156   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00157   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00158   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00159   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00160   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00161   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00162   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00163   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00164   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00165   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00166   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00168   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00169   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00170   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00171   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00172   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00173   448   NtAllocateVirtualMemory  (-1, 6467584, 0, 4096, 4096, 32, ... 6467584, 4096, ) == 0x0
 00172   448   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00174   448   NtCallbackReturn  (0, 0, 0, ...
 00175   448   NtGdiInit  (... ) == 0x1
 00176   448   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00177   448   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00178   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00179   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00180   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00181   448   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00182   448   NtClose  (52, ... ) == 0x0
 00183   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00184   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00185   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00186   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00187   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00188   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   448   NtClose  (52, ... ) == 0x0
 00192   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00193   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   448   NtClose  (52, ... ) == 0x0
 00196   448   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00197   448   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   448   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00199   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200   448   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00201   448   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00203   448   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204   448   NtClose  (56, ... ) == 0x0
 00205   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   448   NtTestAlert  (... ) == 0x0
 00207   448   NtContinue  (1244464, 1, ...
 00208   448   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00209   448   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 3538944, 196608, ) == 0x0
 00210   448   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 3735552, 196608, ) == 0x0
 00211   448   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 196608, ) == 0x0
 00212   448   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3538944, 4096, ) == 0x0
 00213   448   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00214   448   NtAllocateVirtualMemory  (-1, 0, 0, 148480, 4096, 4, ... 3538944, 151552, ) == 0x0
 00215   448   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 151552, ) == 0x0
 00216   448   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3538944, 4096, ) == 0x0
 00217   448   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00218   448   NtAllocateVirtualMemory  (-1, 0, 0, 3584, 4096, 4, ... 3538944, 4096, ) == 0x0
 00219   448   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00220   448   NtAllocateVirtualMemory  (-1, 0, 0, 8704, 4096, 4, ... 3538944, 12288, ) == 0x0
 00221   448   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 12288, ) == 0x0
 00222   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00223   448   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00224   448   NtClose  (56, ... ) == 0x0
 00225   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1243008, ... ) }, 1243008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00227   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1243008, ... ) }, 1243008, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1243008, ... ) }, 1243008, ... ) == 0x0
 00229   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00230   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00231   448   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00232   448   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00233   448   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00234   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00236   448   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00237   448   NtClose  (68, ... ) == 0x0
 00238   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00239   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00240   448   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00241   448   NtClose  (68, ... ) == 0x0
 00242   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   448   NtClose  (64, ... ) == 0x0
 00244   448   NtClose  (56, ... ) == 0x0
 00245   448   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00246   448   NtClose  (60, ... ) == 0x0
 00247   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242204, ... ) }, 1242204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242204, ... ) }, 1242204, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242204, ... ) }, 1242204, ... ) == 0x0
 00251   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00252   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00253   448   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00254   448   NtClose  (60, ... ) == 0x0
 00255   448   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00256   448   NtClose  (56, ... ) == 0x0
 00257   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241400, ... ) }, 1241400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00259   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241400, ... ) }, 1241400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 00261   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00262   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00263   448   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00264   448   NtClose  (56, ... ) == 0x0
 00265   448   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00266   448   NtClose  (60, ... ) == 0x0
 00267   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00268   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00269   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00270   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00271   448   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00272   448   NtClose  (60, ... ) == 0x0
 00273   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00274   448   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00275   448   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00276   448   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   448   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00278   448   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00279   448   NtClose  (56, ... ) == 0x0
 00280   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00281   448   NtReleaseMutant  (16, ...
 00282   448   NtContinue  (-130842488, 0, ...
 00281   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00283   448   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00284   448   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00285   448   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9502720, 1048576, ) == 0x0
 00286   448   NtAllocateVirtualMemory  (-1, 9502720, 0, 16384, 4096, 4, ... 9502720, 16384, ) == 0x0
 00287   448   NtUserCallNoParam  (29, ...
 00288   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242276, ... ) }, 1242276, ... ) == 0x0
 00289   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00290   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00291   448   NtClose  (56, ... ) == 0x0
 00292   448   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3c0000), 0x0, 204800, ) == 0x0
 00293   448   NtClose  (64, ... ) == 0x0
 00294   448   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 00295   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242592, ... ) }, 1242592, ... ) == 0x0
 00296   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00297   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00298   448   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00299   448   NtClose  (64, ... ) == 0x0
 00300   448   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00301   448   NtClose  (56, ... ) == 0x0
 00302   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00303   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00304   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00305   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00306   448   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00307   448   NtClose  (56, ... ) == 0x0
 00308   448   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00309   448   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 64, ) }, ... 64, ) == 0x0
 00310   448   NtQueryValueKey  (64,  (64, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   448   NtClose  (64, ... ) == 0x0
 00312   448   NtClose  (56, ... ) == 0x0
 00313   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00314   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00315   448   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00316   448   NtClose  (56, ... ) == 0x0
 00317   448   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00318   448   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00319   448   NtQueryValueKey  (64,  (64, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   448   NtClose  (64, ... ) == 0x0
 00321   448   NtClose  (56, ... ) == 0x0
 00322   448   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00323   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00326   448   NtUserGetProcessWindowStation  (... ) == 0x28
 00327   448   NtUserGetObjectInformation  (40, 2, 0, 0, 1244388, ... ) == 0x0
 00328   448   NtUserGetObjectInformation  (40, 2, 1328256, 16, 1244388, ... ) == 0x1
 00329   448   NtUserGetGUIThreadInfo  (448, 1244344, ... ) == 0x1
 00330   448   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244164, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244164, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00331   448   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 448, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 448, 1581, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 448, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00332   448   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 448, 1582, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 448, 1582, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 448, 1582, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00333   448   NtUserCallNoParam  (29, ...
 00334   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 00333   448   NtUserCallNoParam  ... ) == 0x0
 00335   448   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00336   448   NtGdiHfontCreate  (1243716, 356, 0, 0, 1326824, ... ) == 0x80a0454
 00337   448   NtGdiHfontCreate  (1243716, 356, 0, 0, 1326816, ... ) == 0x60a0455
 00338   448   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 448, 1583, 0} "\0\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 448, 1583, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 448, 1583, 0} "\0\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00339   448   NtMapViewOfSection  (64, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa10000), {0, 0}, 331776, ) == 0x0
 00340   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00341   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00342   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00343   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00344   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00345   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00346   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00347   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00348   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00349   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00350   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00351   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00352   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00353   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00354   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00355   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00356   448   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00357   448   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100457
 00358   448   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00359   448   NtUserCallNoParam  (29, ...
 00360   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241080, ... ) }, 1241080, ... ) == 0x0
 00359   448   NtUserCallNoParam  ... ) == 0x0
 00361   448   NtUserCallNoParam  (29, ...
 00362   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241076, ... ) }, 1241076, ... ) == 0x0
 00361   448   NtUserCallNoParam  ... ) == 0x0
 00287   448   NtUserCallNoParam  ... ) == 0x1
 00363   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00364   448   NtReleaseMutant  (16, ...
 00365   448   NtContinue  (-130842488, 0, ...
 00364   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00366   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00367   448   NtReleaseMutant  (16, ...
 00368   448   NtContinue  (-130842488, 0, ...
 00367   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00369   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00370   448   NtReleaseMutant  (16, ...
 00371   448   NtContinue  (-130842488, 0, ...
 00370   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00372   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00373   448   NtReleaseMutant  (16, ...
 00374   448   NtContinue  (-130842488, 0, ...
 00373   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00375   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00376   448   NtReleaseMutant  (16, ...
 00377   448   NtContinue  (-130842488, 0, ...
 00376   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00378   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00379   448   NtReleaseMutant  (16, ...
 00380   448   NtContinue  (-130842488, 0, ...
 00379   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00381   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00382   448   NtReleaseMutant  (16, ...
 00383   448   NtContinue  (-130842488, 0, ...
 00382   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00384   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00385   448   NtReleaseMutant  (16, ...
 00386   448   NtContinue  (-130842488, 0, ...
 00385   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00387   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00388   448   NtReleaseMutant  (16, ...
 00389   448   NtContinue  (-130842488, 0, ...
 00388   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00390   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00391   448   NtReleaseMutant  (16, ...
 00392   448   NtContinue  (-130842488, 0, ...
 00391   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00393   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00394   448   NtReleaseMutant  (16, ...
 00395   448   NtContinue  (-130842488, 0, ...
 00394   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00396   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00397   448   NtReleaseMutant  (16, ...
 00398   448   NtContinue  (-130842488, 0, ...
 00397   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00399   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00400   448   NtReleaseMutant  (16, ...
 00401   448   NtContinue  (-130842488, 0, ...
 00400   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00402   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00403   448   NtReleaseMutant  (16, ...
 00404   448   NtContinue  (-130842488, 0, ...
 00403   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00405   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00406   448   NtReleaseMutant  (16, ...
 00407   448   NtContinue  (-130842488, 0, ...
 00406   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00408   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00409   448   NtReleaseMutant  (16, ...
 00410   448   NtContinue  (-130842488, 0, ...
 00409   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00411   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00412   448   NtReleaseMutant  (16, ...
 00413   448   NtContinue  (-130842488, 0, ...
 00412   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00414   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00415   448   NtReleaseMutant  (16, ...
 00416   448   NtContinue  (-130842488, 0, ...
 00415   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00417   448   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 68, ) }, ... 68, ) == 0x0
 00418   448   NtQueryValueKey  (68,  (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00419   448   NtQueryValueKey  (68,  (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00420   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00421   448   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Protocol_Catalog9"}, ... 76, ) }, ... 76, ) == 0x0
 00422   448   NtQueryValueKey  (76,  (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00423   448   NtNotifyChangeKey  (76, 72, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00424   448   NtQueryValueKey  (76,  (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00425   448   NtOpenKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426   448   NtQueryValueKey  (76,  (76, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00427   448   NtQueryValueKey  (76,  (76, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00428   448   NtOpenKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Catalog_Entries"}, ... 80, ) }, ... 80, ) == 0x0
 00429   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000001"}, ... 84, ) }, ... 84, ) == 0x0
 00430   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00432   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\261\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\261\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\262\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\261\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\261\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\262\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\261\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\261\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\262\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00433   448   NtClose  (84, ... ) == 0x0
 00434   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000002"}, ... 84, ) }, ... 84, ) == 0x0
 00435   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00437   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\266\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\266\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\267\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\266\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\266\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\267\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\266\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\266\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\267\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00438   448   NtClose  (84, ... ) == 0x0
 00439   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000003"}, ... 84, ) }, ... 84, ) == 0x0
 00440   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00442   448   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00443   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\274\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\274\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\275\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\274\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\274\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\275\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\274\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\274\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\275\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00444   448   NtClose  (84, ... ) == 0x0
 00445   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000004"}, ... 84, ) }, ... 84, ) == 0x0
 00446   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00447   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00448   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\301\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\301\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\302\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\301\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\301\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\302\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\301\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\301\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\302\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00449   448   NtClose  (84, ... ) == 0x0
 00450   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000005"}, ... 84, ) }, ... 84, ) == 0x0
 00451   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00452   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00453   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\306\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\306\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\307\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\306\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\306\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\307\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\306\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\306\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\307\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00454   448   NtClose  (84, ... ) == 0x0
 00455   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000006"}, ... 84, ) }, ... 84, ) == 0x0
 00456   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00457   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00458   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\313\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\313\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\314\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\313\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\313\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\314\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\313\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\313\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\314\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00459   448   NtClose  (84, ... ) == 0x0
 00460   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000007"}, ... 84, ) }, ... 84, ) == 0x0
 00461   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00462   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00463   448   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00464   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\321\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\321\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\322\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\321\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\321\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\322\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\321\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\321\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\322\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00465   448   NtClose  (84, ... ) == 0x0
 00466   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000008"}, ... 84, ) }, ... 84, ) == 0x0
 00467   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00468   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00469   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\326\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\326\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\327\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\326\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\326\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\327\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\326\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\326\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\327\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00470   448   NtClose  (84, ... ) == 0x0
 00471   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000009"}, ... 84, ) }, ... 84, ) == 0x0
 00472   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00473   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00474   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\333\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\333\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\334\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\333\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\333\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\334\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\333\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\333\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\334\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00475   448   NtClose  (84, ... ) == 0x0
 00476   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000010"}, ... 84, ) }, ... 84, ) == 0x0
 00477   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00478   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00479   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\340\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\340\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\341\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\340\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\340\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\341\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\340\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\340\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0pa\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\341\1\0\0\274\1\0\0\300\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\1\0\0\274\1\0\0\300\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00480   448   NtClose  (84, ... ) == 0x0
 00481   448   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000011"}, ... 84, ) }, ... 84, ) == 0x0
 00482   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00483   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00484   448   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\345\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\345\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\346\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0\274\1\0\0\300\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\347\1\0\0\274\1\0\0\300\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\350\1\0\0\274\1\0\0\300\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\350\1\0\0\274\1\0\0\300\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\351\1\0\0\274\1\0\0\300\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\220\24\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\351\1\0\0\274\1\0\0\300\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\220\24\0\0\0\0\0\0\20\0\0\352\1\0\0\274\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\345\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\345\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\346\1\0\0\274\1\0\0\300\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0\274\1\0\0\300\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\347\1\0\0\274\1\0\0\300\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\350\1\0\0\274\1\0\0\300\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\350\1\0\0\274\1\0\0\300\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\351\1\0\0\274\1\0\0\300\1\0\0\12\0\0\0\0\0\1\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\220\24\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\0\0\0\351\1\0\0\274\1\0\0\300\1\0\0\12\0\0\0\1\0\1\0\0\0\0\0\20\0\0\0\0\0\0\0\0\220\24\0\0\0\0\0\0\20\0\0\352\1\0\0\274\1\0\0"}, 900, ) }, 900, ) == 0x0
 00485   448   NtClose  (84, ... ) == 0x0
 00486   448   NtClose  (80, ... ) == 0x0
 00487   448   NtWaitForSingleObject  (72, 0, {0, 0}, ... ) == 0x102
 00488   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00489   448   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00490   448   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 84, ) }, ... 84, ) == 0x0
 00491   448   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00492   448   NtNotifyChangeKey  (84, 80, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00493   448   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00494   448   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495   448   NtQueryValueKey  (84,  (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00496   448   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Catalog_Entries"}, ... 88, ) }, ... 88, ) == 0x0
 00497   448   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000001"}, ... 92, ) }, ... 92, ) == 0x0
 00498   448   NtQueryValueKey  (92,  (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00499   448   NtQueryValueKey  (92,  (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00500   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00501   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00502   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00503   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00504   448   NtQueryValueKey  (92,  (92, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (92, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00505   448   NtQueryValueKey  (92,  (92, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   448   NtQueryValueKey  (92,  (92, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00507   448   NtQueryValueKey  (92,  (92, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00508   448   NtQueryValueKey  (92,  (92, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00509   448   NtQueryValueKey  (92,  (92, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00510   448   NtClose  (92, ... ) == 0x0
 00511   448   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000002"}, ... 92, ) }, ... 92, ) == 0x0
 00512   448   NtQueryValueKey  (92,  (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00513   448   NtQueryValueKey  (92,  (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00514   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00515   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00516   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00517   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00518   448   NtQueryValueKey  (92,  (92, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (92, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00519   448   NtQueryValueKey  (92,  (92, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   448   NtQueryValueKey  (92,  (92, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00521   448   NtQueryValueKey  (92,  (92, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00522   448   NtQueryValueKey  (92,  (92, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00523   448   NtQueryValueKey  (92,  (92, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00524   448   NtClose  (92, ... ) == 0x0
 00525   448   NtOpenKey  (0x20019, {24, 88, 0x40, 0, 0,  (0x20019, {24, 88, 0x40, 0, 0, "000000000003"}, ... 92, ) }, ... 92, ) == 0x0
 00526   448   NtQueryValueKey  (92,  (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00527   448   NtQueryValueKey  (92,  (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00528   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00529   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00530   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00531   448   NtQueryValueKey  (92,  (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00532   448   NtQueryValueKey  (92,  (92, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (92, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00533   448   NtQueryValueKey  (92,  (92, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   448   NtQueryValueKey  (92,  (92, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00535   448   NtQueryValueKey  (92,  (92, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536   448   NtQueryValueKey  (92,  (92, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00537   448   NtQueryValueKey  (92,  (92, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00538   448   NtClose  (92, ... ) == 0x0
 00539   448   NtClose  (88, ... ) == 0x0
 00540   448   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 00541   448   NtClose  (68, ... ) == 0x0
 00542   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00543   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00544   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 68, ) }, ... 68, ) == 0x0
 00545   448   NtQueryValueKey  (68,  (68, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   448   NtClose  (68, ... ) == 0x0
 00547   448   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 68, ) == 0x0
 00548   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 32768, 4096, 4, ... 9519104, 32768, ) == 0x0
 00549   448   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 3538944, 4096, ) == 0x0
 00550   448   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 3604480, 4096, ) == 0x0
 00551   448   NtAllocateVirtualMemory  (-1, 0, 0, 18152, 4096, 64, ... 3670016, 20480, ) == 0x0
 00552   448   NtAllocateVirtualMemory  (-1, 9551872, 0, 32768, 4096, 4, ... 9551872, 32768, ) == 0x0
 00553   448   NtFreeVirtualMemory  (-1, (0x920000), 16384, 16384, ... (0x920000), 16384, ) == 0x0
 00554   448   NtFreeVirtualMemory  (-1, (0x91c000), 16384, 16384, ... (0x91c000), 16384, ) == 0x0
 00555   448   NtAllocateVirtualMemory  (-1, 9551872, 0, 32768, 4096, 4, ... 9551872, 32768, ) == 0x0
 00556   448   NtFreeVirtualMemory  (-1, (0x920000), 16384, 16384, ... (0x920000), 16384, ) == 0x0
 00557   448   NtFreeVirtualMemory  (-1, (0x91c000), 16384, 16384, ... (0x91c000), 16384, ) == 0x0
 00558   448   NtFreeVirtualMemory  (-1, (0x914000), 32768, 16384, ... (0x914000), 32768, ) == 0x0
 00559   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 32768, 4096, 4, ... 9519104, 32768, ) == 0x0
 00560   448   NtFreeVirtualMemory  (-1, (0x914000), 32768, 16384, ... (0x914000), 32768, ) == 0x0
 00561   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 16384, 4096, 4, ... 9519104, 16384, ) == 0x0
 00562   448   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00563   448   NtAllocateVirtualMemory  (-1, 9535488, 0, 32768, 4096, 4, ... 9535488, 32768, ) == 0x0
 00564   448   NtFreeVirtualMemory  (-1, (0x918000), 32768, 16384, ... (0x918000), 32768, ) == 0x0
 00565   448   NtFreeVirtualMemory  (-1, (0x914000), 16384, 16384, ... (0x914000), 16384, ) == 0x0
 00566   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 16384, 4096, 4, ... 9519104, 16384, ) == 0x0
 00567   448   NtFreeVirtualMemory  (-1, (0x914000), 16384, 16384, ... (0x914000), 16384, ) == 0x0
 00568   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 16384, 4096, 4, ... 9519104, 16384, ) == 0x0
 00569   448   NtFreeVirtualMemory  (-1, (0x914000), 16384, 16384, ... (0x914000), 16384, ) == 0x0
 00570   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 32768, 4096, 4, ... 9519104, 32768, ) == 0x0
 00571   448   NtFreeVirtualMemory  (-1, (0x914000), 32768, 16384, ... (0x914000), 32768, ) == 0x0
 00572   448   NtAllocateVirtualMemory  (-1, 9519104, 0, 32768, 4096, 4, ... 9519104, 32768, ) == 0x0
 00573   448   NtAllocateVirtualMemory  (-1, 0, 0, 4032, 4096, 64, ... 3932160, 4096, ) == 0x0
 00574   448   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 3997696, 4096, ) == 0x0
 00575   448   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 4063232, 4096, ) == 0x0
 00576   448   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 4128768, 4096, ) == 0x0
 00577   448   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 10944512, 4096, ) == 0x0
 00578   448   NtAllocateVirtualMemory  (-1, 0, 0, 11, 4096, 64, ... 11010048, 4096, ) == 0x0
 00579   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11075584, 4096, ) == 0x0
 00580   448   NtAllocateVirtualMemory  (-1, 0, 0, 15, 4096, 64, ... 11141120, 4096, ) == 0x0
 00581   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11206656, 4096, ) == 0x0
 00582   448   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 11272192, 4096, ) == 0x0
 00583   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11337728, 4096, ) == 0x0
 00584   448   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 64, ... 11403264, 4096, ) == 0x0
 00585   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11468800, 4096, ) == 0x0
 00586   448   NtAllocateVirtualMemory  (-1, 0, 0, 27, 4096, 64, ... 11534336, 4096, ) == 0x0
 00587   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11599872, 4096, ) == 0x0
 00588   448   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 64, ... 11665408, 4096, ) == 0x0
 00589   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11730944, 4096, ) == 0x0
 00590   448   NtAllocateVirtualMemory  (-1, 0, 0, 12, 4096, 64, ... 11796480, 4096, ) == 0x0
 00591   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11862016, 4096, ) == 0x0
 00592   448   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 11927552, 4096, ) == 0x0
 00593   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 11993088, 4096, ) == 0x0
 00594   448   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 12058624, 4096, ) == 0x0
 00595   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12124160, 4096, ) == 0x0
 00596   448   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 12189696, 4096, ) == 0x0
 00597   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12255232, 4096, ) == 0x0
 00598   448   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 12320768, 4096, ) == 0x0
 00599   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12386304, 4096, ) == 0x0
 00600   448   NtAllocateVirtualMemory  (-1, 0, 0, 27, 4096, 64, ... 12451840, 4096, ) == 0x0
 00601   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12517376, 4096, ) == 0x0
 00602   448   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 12582912, 4096, ) == 0x0
 00603   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12648448, 4096, ) == 0x0
 00604   448   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 12713984, 4096, ) == 0x0
 00605   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12779520, 4096, ) == 0x0
 00606   448   NtAllocateVirtualMemory  (-1, 0, 0, 30, 4096, 64, ... 12845056, 4096, ) == 0x0
 00607   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12910592, 4096, ) == 0x0
 00608   448   NtAllocateVirtualMemory  (-1, 0, 0, 53, 4096, 64, ... 12976128, 4096, ) == 0x0
 00609   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13041664, 4096, ) == 0x0
 00610   448   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 13107200, 4096, ) == 0x0
 00611   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13172736, 4096, ) == 0x0
 00612   448   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 13238272, 4096, ) == 0x0
 00613   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13303808, 4096, ) == 0x0
 00614   448   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 13369344, 4096, ) == 0x0
 00615   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13434880, 4096, ) == 0x0
 00616   448   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 13500416, 4096, ) == 0x0
 00617   448   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13565952, 4096, ) == 0x0
 00618   448   NtFreeVirtualMemory  (-1, (0x914000), 16384, 16384, ... (0x914000), 16384, ) == 0x0
 00619   448   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\Scsi0:"}, 0x0, 0, 3, 1, 96, 0, 0, ... 88, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 88, {status=0x0, info=0}, ) == 0x0
 00620   448   NtDeviceIoControlFile  (88, 0, 0x0, 0x0, 0x4d008,  (88, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zBa\30\0\0\20\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0a\30\20\0?\0\360\375_\0@\1\0\0`\0\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 572, 572, ... {status=0x0, info=572},  (88, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zBa\30\0\0\20\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0a\30\20\0?\0\360\375_\0@\1\0\0`\0\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00621   448   NtClose  (88, ... ) == 0x0
 00622   448   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00623   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 88, {status=0x0, info=1}, ) }, 3, 16417, ... 88, {status=0x0, info=1}, ) == 0x0
 00624   448   NtQueryInformationFile  (88, 1243996, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00625   448   NtQueryVolumeInformationFile  (88, 1350312, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00626   448   NtQueryVolumeInformationFile  (88, 1350608, 276, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00627   448   NtClose  (88, ... ) == 0x0
 00628   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 88, {status=0x0, info=1}, ) }, 3, 8388641, ... 88, {status=0x0, info=1}, ) == 0x0
 00629   448   NtQueryVolumeInformationFile  (88, 1244780, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00630   448   NtClose  (88, ... ) == 0x0
 00631   448   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00632   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 88, {status=0x0, info=1}, ) }, 3, 16417, ... 88, {status=0x0, info=1}, ) == 0x0
 00633   448   NtQueryInformationFile  (88, 1244000, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00634   448   NtQueryVolumeInformationFile  (88, 1350312, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00635   448   NtQueryVolumeInformationFile  (88, 1350608, 276, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00636   448   NtClose  (88, ... ) == 0x0
 00637   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 88, {status=0x0, info=1}, ) }, 3, 8388641, ... 88, {status=0x0, info=1}, ) == 0x0
 00638   448   NtQueryVolumeInformationFile  (88, 1244784, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00639   448   NtClose  (88, ... ) == 0x0
 00640   448   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 13631488, 4096, ) == 0x0
 00641   448   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 13697024, 4096, ) == 0x0
 00642   448   NtAllocateVirtualMemory  (-1, 9551872, 0, 32768, 4096, 4, ... 9551872, 32768, ) == 0x0
 00643   448   NtFreeVirtualMemory  (-1, (0x920000), 16384, 16384, ... (0x920000), 16384, ) == 0x0
 00644   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00645   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00646   448   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00647   448   NtClose  (88, ... ) == 0x0
 00648   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 88, ) }, ... 88, ) == 0x0
 00649   448   NtSetInformationObject  (90, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00650   448   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00651   448   NtOpenKey  (0x2000000, {24, 90, 0x40, 0, 0,  (0x2000000, {24, 90, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00652   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 00653   448   NtCreateKey  (0x2, {24, 92, 0x40, 0, 0,  (0x2, {24, 92, 0x40, 0, 0, ".key"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00654   448   NtSetInformationFile  (-2147482808, -130842036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00655   448   NtSetInformationFile  (-2147482808, -130841668, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00656   448   NtSetInformationFile  (-2147482808, -130841660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00653   448   NtCreateKey  ... 96, 1, ) == 0x0
 00657   448   NtClose  (92, ... ) == 0x0
 00658   448   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 00659   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00660   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00661   448   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00662   448   NtClose  (92, ... ) == 0x0
 00663   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   448   NtSetValueKey  (98, 0x0, 0, 1,  (98, 0x0, 0, 1, "\0\0", 2, ... ) , 2, ... ) == 0x0
 00665   448   NtClose  (98, ... ) == 0x0
 00666   448   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00667   448   NtOpenKey  (0x2, {24, 90, 0x40, 0, 0,  (0x2, {24, 90, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   448   NtOpenKey  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.key"}, ... 96, ) }, ... 96, ) == 0x0
 00669   448   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 00670   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00671   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00672   448   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00673   448   NtClose  (92, ... ) == 0x0
 00674   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   448   NtSetValueKey  (98, " (98, "", 0, 1, "r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) == 0x0
 00676   448   NtClose  (98, ... ) == 0x0
 00677   448   NtFreeVirtualMemory  (-1, (0x91c000), 16384, 16384, ... (0x91c000), 16384, ) == 0x0
 00678   448   NtAllocateVirtualMemory  (-1, 9551872, 0, 32768, 4096, 4, ... 9551872, 32768, ) == 0x0
 00679   448   NtFreeVirtualMemory  (-1, (0x920000), 16384, 16384, ... (0x920000), 16384, ) == 0x0
 00680   448   NtAllocateVirtualMemory  (-1, 9568256, 0, 32768, 4096, 4, ... 9568256, 32768, ) == 0x0
 00681   448   NtFreeVirtualMemory  (-1, (0x920000), 32768, 16384, ... (0x920000), 32768, ) == 0x0
 00682   448   NtFreeVirtualMemory  (-1, (0x91c000), 16384, 16384, ... (0x91c000), 16384, ) == 0x0
 00683   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00684   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13762560, 65536, ) == 0x0
 00685   448   NtAllocateVirtualMemory  (-1, 13762560, 0, 4096, 4096, 4, ... 13762560, 4096, ) == 0x0
 00686   448   NtAllocateVirtualMemory  (-1, 13766656, 0, 4096, 4096, 4, ... 13766656, 4096, ) == 0x0
 00687   448   NtQueryPerformanceCounter  (... {110698014, 0}, {3579545, 0}, ) == 0x0
 00688   448   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00689   448   NtSetValueKey  (96,  (96, "Start Page", 0, 1, "h\0t\0t\0p\0:\0/\0/\0w\0w\0w\0.\0o\0p\0e\0n\0a\0r\0t\0i\0c\0l\0e\0s\0.\0i\0n\0f\0o\0\0\0", 58, ... , 0, 1,  (96, "Start Page", 0, 1, "h\0t\0t\0p\0:\0/\0/\0w\0w\0w\0.\0o\0p\0e\0n\0a\0r\0t\0i\0c\0l\0e\0s\0.\0i\0n\0f\0o\0\0\0", 58, ... , 58, ...
 00690   448   NtSetInformationFile  (-2147482708, -130840780, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00691   448   NtSetInformationFile  (-2147482708, -130840848, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00689   448   NtSetValueKey  ... ) == 0x0
 00692   448   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 92, {status=0x0, info=1}, ) }, 7, 2113568, ... 92, {status=0x0, info=1}, ) == 0x0
 00693   448   NtQueryInformationFile  (92, 1243948, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00694   448   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 100, 0x0, ) }, 0, 0x0, 0, ... 100, 0x0, ) == 0x0
 00695   448   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00696   448   NtQueryValueKey  (100,  (100, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   448   NtClose  (100, ... ) == 0x0
 00698   448   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 100, 0x0, ) }, 0, 0x0, 0, ... 100, 0x0, ) == 0x0
 00699   448   NtQueryValueKey  (100,  (100, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700   448   NtSetValueKey  (100,  (100, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 0, 7,  (100, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 50, ...
 00701   448   NtSetInformationFile  (-2147482844, -130840780, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00702   448   NtSetInformationFile  (-2147482844, -130840872, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00703   448   NtSetInformationFile  (-2147482844, -130841276, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00700   448   NtSetValueKey  ... ) == 0x0
 00704   448   NtClose  (100, ... ) == 0x0
 00705   448   NtClose  (92, ... ) == 0x0
 00706   448   NtTerminateProcess  (0, 0, ... ) == 0x0
 00707   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 00708   448   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00709   448   NtClose  (64, ... ) == 0x0
 00710   448   NtGdiDeleteObjectApp  (17826903, ... ) == 0x1
 00711   448   NtUserGetProcessWindowStation  (... ) == 0x28
 00712   448   NtUserBuildNameList  (40, 256, 1327400, 1244156, ... ) == 0x0
 00713   448   NtUserGetProcessWindowStation  (... ) == 0x28
 00714   448   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x40
 00715   448   NtUserBuildHwndList  (64, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100da, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20064, 0x100ce, 0x100c4, 0x100c2, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00716   448   NtUserQueryWindow  (196684, 0, ... ) == 0x774
 00717   448   NtUserQueryWindow  (196684, 1, ... ) == 0x788
 00718   448   NtUserQueryWindow  (65758, 0, ... ) == 0x774
 00719   448   NtUserQueryWindow  (65758, 1, ... ) == 0x788
 00720   448   NtUserQueryWindow  (65706, 0, ... ) == 0x7e4
 00721   448   NtUserQueryWindow  (65706, 1, ... ) == 0x7e8
 00722   448   NtUserQueryWindow  (65704, 0, ... ) == 0x7e4
 00723   448   NtUserQueryWindow  (65704, 1, ... ) == 0x7e8
 00724   448   NtUserQueryWindow  (65702, 0, ... ) == 0x7e4
 00725   448   NtUserQueryWindow  (65702, 1, ... ) == 0x7e8
 00726   448   NtUserQueryWindow  (131168, 0, ... ) == 0x7e4
 00727   448   NtUserQueryWindow  (131168, 1, ... ) == 0x7e8
 00728   448   NtUserQueryWindow  (65696, 0, ... ) == 0x774
 00729   448   NtUserQueryWindow  (65696, 1, ... ) == 0x788
 00730   448   NtUserQueryWindow  (65662, 0, ... ) == 0x774
 00731   448   NtUserQueryWindow  (65662, 1, ... ) == 0x788
 00732   448   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 00733   448   NtUserQueryWindow  (65664, 0, ... ) == 0x774
 00734   448   NtUserQueryWindow  (65664, 1, ... ) == 0x788
 00735   448   NtUserQueryWindow  (65670, 0, ... ) == 0x774
 00736   448   NtUserQueryWindow  (65670, 1, ... ) == 0x788
 00737   448   NtUserQueryWindow  (65672, 0, ... ) == 0x774
 00738   448   NtUserQueryWindow  (65672, 1, ... ) == 0x788
 00739   448   NtUserQueryWindow  (65674, 0, ... ) == 0x774
 00740   448   NtUserQueryWindow  (65674, 1, ... ) == 0x788
 00741   448   NtUserQueryWindow  (65678, 0, ... ) == 0x774
 00742   448   NtUserQueryWindow  (65678, 1, ... ) == 0x788
 00743   448   NtUserQueryWindow  (65680, 0, ... ) == 0x774
 00744   448   NtUserQueryWindow  (65680, 1, ... ) == 0x788
 00745   448   NtUserQueryWindow  (65682, 0, ... ) == 0x774
 00746   448   NtUserQueryWindow  (65682, 1, ... ) == 0x788
 00747   448   NtUserQueryWindow  (65684, 0, ... ) == 0x774
 00748   448   NtUserQueryWindow  (65684, 1, ... ) == 0x788
 00749   448   NtUserQueryWindow  (65686, 0, ... ) == 0x774
 00750   448   NtUserQueryWindow  (65686, 1, ... ) == 0x788
 00751   448   NtUserQueryWindow  (65690, 0, ... ) == 0x774
 00752   448   NtUserQueryWindow  (65690, 1, ... ) == 0x788
 00753   448   NtUserQueryWindow  (65692, 0, ... ) == 0x774
 00754   448   NtUserQueryWindow  (65692, 1, ... ) == 0x788
 00755   448   NtUserQueryWindow  (65694, 0, ... ) == 0x774
 00756   448   NtUserQueryWindow  (65694, 1, ... ) == 0x788
 00757   448   NtUserQueryWindow  (65652, 0, ... ) == 0x774
 00758   448   NtUserQueryWindow  (65652, 1, ... ) == 0x788
 00759   448   NtUserQueryWindow  (65640, 0, ... ) == 0x774
 00760   448   NtUserQueryWindow  (65640, 1, ... ) == 0x788
 00761   448   NtUserQueryWindow  (196682, 0, ... ) == 0x774
 00762   448   NtUserQueryWindow  (196682, 1, ... ) == 0x788
 00763   448   NtUserQueryWindow  (65638, 0, ... ) == 0x774
 00764   448   NtUserQueryWindow  (65638, 1, ... ) == 0x788
 00765   448   NtUserQueryWindow  (196668, 0, ... ) == 0x774
 00766   448   NtUserQueryWindow  (196668, 1, ... ) == 0x788
 00767   448   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 00768   448   NtUserQueryWindow  (196670, 0, ... ) == 0x774
 00769   448   NtUserQueryWindow  (196670, 1, ... ) == 0x788
 00770   448   NtUserQueryWindow  (196674, 0, ... ) == 0x774
 00771   448   NtUserQueryWindow  (196674, 1, ... ) == 0x788
 00772   448   NtUserQueryWindow  (196672, 0, ... ) == 0x774
 00773   448   NtUserQueryWindow  (196672, 1, ... ) == 0x788
 00774   448   NtUserQueryWindow  (196676, 0, ... ) == 0x774
 00775   448   NtUserQueryWindow  (196676, 1, ... ) == 0x788
 00776   448   NtUserQueryWindow  (196678, 0, ... ) == 0x774
 00777   448   NtUserQueryWindow  (196678, 1, ... ) == 0x788
 00778   448   NtUserQueryWindow  (196680, 0, ... ) == 0x774
 00779   448   NtUserQueryWindow  (196680, 1, ... ) == 0x788
 00780   448   NtUserQueryWindow  (65642, 0, ... ) == 0x774
 00781   448   NtUserQueryWindow  (65642, 1, ... ) == 0x788
 00782   448   NtUserQueryWindow  (65646, 0, ... ) == 0x774
 00783   448   NtUserQueryWindow  (65646, 1, ... ) == 0x788
 00784   448   NtUserQueryWindow  (65650, 0, ... ) == 0x774
 00785   448   NtUserQueryWindow  (65650, 1, ... ) == 0x788
 00786   448   NtUserQueryWindow  (65688, 0, ... ) == 0x774
 00787   448   NtUserQueryWindow  (65688, 1, ... ) == 0x788
 00788   448   NtUserQueryWindow  (65676, 0, ... ) == 0x774
 00789   448   NtUserQueryWindow  (65676, 1, ... ) == 0x788
 00790   448   NtUserQueryWindow  (65660, 0, ... ) == 0x774
 00791   448   NtUserQueryWindow  (65660, 1, ... ) == 0x778
 00792   448   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00793   448   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00794   448   NtUserQueryWindow  (65754, 0, ... ) == 0x190
 00795   448   NtUserQueryWindow  (65754, 1, ... ) == 0x194
 00796   448   NtUserQueryWindow  (65746, 0, ... ) == 0x190
 00797   448   NtUserQueryWindow  (65746, 1, ... ) == 0x194
 00798   448   NtUserQueryWindow  (65726, 0, ... ) == 0x7f0
 00799   448   NtUserQueryWindow  (65726, 1, ... ) == 0x7f4
 00800   448   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 00801   448   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 00802   448   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 00803   448   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 00804   448   NtUserQueryWindow  (65720, 0, ... ) == 0x7f0
 00805   448   NtUserQueryWindow  (65720, 1, ... ) == 0x7f4
 00806   448   NtUserQueryWindow  (65718, 0, ... ) == 0x7f0
 00807   448   NtUserQueryWindow  (65718, 1, ... ) == 0x7f4
 00808   448   NtUserQueryWindow  (65716, 0, ... ) == 0x7f0
 00809   448   NtUserQueryWindow  (65716, 1, ... ) == 0x7f4
 00810   448   NtUserQueryWindow  (65714, 0, ... ) == 0x7f0
 00811   448   NtUserQueryWindow  (65714, 1, ... ) == 0x7f4
 00812   448   NtUserQueryWindow  (65712, 0, ... ) == 0x7f0
 00813   448   NtUserQueryWindow  (65712, 1, ... ) == 0x7f4
 00814   448   NtUserQueryWindow  (131172, 0, ... ) == 0x7fc
 00815   448   NtUserQueryWindow  (131172, 1, ... ) == 0x70
 00816   448   NtUserQueryWindow  (65742, 0, ... ) == 0x774
 00817   448   NtUserQueryWindow  (65742, 1, ... ) == 0x1a0
 00818   448   NtUserQueryWindow  (65732, 0, ... ) == 0x774
 00819   448   NtUserQueryWindow  (65732, 1, ... ) == 0x1a0
 00820   448   NtUserBuildHwndList  (0, 65732, 1, 0, 64, ... (0x100c6, 0x100c8, 0x100ca, 0x100cc, 0x1, ), 5, ) == 0x0
 00821   448   NtUserQueryWindow  (65734, 0, ... ) == 0x774
 00822   448   NtUserQueryWindow  (65734, 1, ... ) == 0x1a0
 00823   448   NtUserQueryWindow  (65736, 0, ... ) == 0x774
 00824   448   NtUserQueryWindow  (65736, 1, ... ) == 0x1a0
 00825   448   NtUserQueryWindow  (65738, 0, ... ) == 0x774
 00826   448   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 00827   448   NtUserQueryWindow  (65740, 0, ... ) == 0x774
 00828   448   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 00829   448   NtUserQueryWindow  (65730, 0, ... ) == 0x774
 00830   448   NtUserQueryWindow  (65730, 1, ... ) == 0x788
 00831   448   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 00832   448   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 00833   448   NtUserQueryWindow  (131170, 0, ... ) == 0x7dc
 00834   448   NtUserQueryWindow  (131170, 1, ... ) == 0x7e0
 00835   448   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 00836   448   NtUserQueryWindow  (65644, 1, ... ) == 0x7b0
 00837   448   NtUserQueryWindow  (327760, 0, ... ) == 0x774
 00838   448   NtUserQueryWindow  (327760, 1, ... ) == 0x778
 00839   448   NtUserQueryWindow  (262228, 0, ... ) == 0x774
 00840   448   NtUserQueryWindow  (262228, 1, ... ) == 0x778
 00841   448   NtUserQueryWindow  (327758, 0, ... ) == 0x774
 00842   448   NtUserQueryWindow  (327758, 1, ... ) == 0x778
 00843   448   NtUserQueryWindow  (65666, 0, ... ) == 0x774
 00844   448   NtUserQueryWindow  (65666, 1, ... ) == 0x778
 00845   448   NtUserQueryWindow  (65654, 0, ... ) == 0x774
 00846   448   NtUserQueryWindow  (65654, 1, ... ) == 0x778
 00847   448   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 00848   448   NtUserQueryWindow  (65656, 0, ... ) == 0x774
 00849   448   NtUserQueryWindow  (65656, 1, ... ) == 0x778
 00850   448   NtUserQueryWindow  (65658, 0, ... ) == 0x774
 00851   448   NtUserQueryWindow  (65658, 1, ... ) == 0x778
 00852   448   NtUserCloseDesktop  (64, ...
 00853   448   NtClose  (64, ... ) == 0x0
 00852   448   NtUserCloseDesktop  ... ) == 0x1
 00854   448   NtUserGetProcessWindowStation  (... ) == 0x28
 00855   448   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 00856   448   NtUserGetProcessWindowStation  (... ) == 0x28
 00857   448   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 00858   448   NtGdiDeleteObjectApp  (134874196, ... ) == 0x1
 00859   448   NtGdiDeleteObjectApp  (101319765, ... ) == 0x1
 00860   448   NtClose  (56, ... ) == 0x0
 00861   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 00862   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 00863   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 00864   448   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00865   448   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1600019804, 13762560, 8, 104}  (24, {20, 48, new_msg, 0, 1600019804, 13762560, 8, 104} "\0\0\0\0\3\0\1\0\0\0\322\0P\7\322\0\0\0\0\0" ... {20, 48, reply, 0, 444, 448, 1585, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\7\322\0\0\0\0\0" )  ... {20, 48, reply, 0, 444, 448, 1585, 0}  (24, {20, 48, new_msg, 0, 1600019804, 13762560, 8, 104} "\0\0\0\0\3\0\1\0\0\0\322\0P\7\322\0\0\0\0\0" ... {20, 48, reply, 0, 444, 448, 1585, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\7\322\0\0\0\0\0" )  ) == 0x0
 00866   448   NtTerminateProcess  (-1, 0, ...
 00867   448   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtUserBuildNameList(>)	1	NtOpenProcessToken(>)	3	NtUserCallNoParam(>)	9
NtConnectPort(>)	1	NtUserGetGUIThreadInfo(>)	1	NtQueryInformationFile(>)	3	NtUserFindExistingCursorIcon(>)	9
NtCreateFile(>)	1	NtUserGetThreadDesktop(>)	1	NtUserOpenDesktop(>)	3	NtUserGetWindowDC(>)	10
NtDeviceIoControlFile(>)	1	NtUserRegisterWindowMessage(>)	1	NtFlushInstructionCache(>)	4	NtOpenFile(>)	11
NtFsControlFile(>)	1	NtUserSystemParametersInfo(>)	1	NtQueryKey(>)	4	NtUserCallOneParam(>)	11
NtGdiCreateBitmap(>)	1	NtDuplicateObject(>)	2	NtSetInformationObject(>)	4	NtQueryInformationToken(>)	12
NtGdiCreatePatternBrushInternal(>)	1	NtGdiCreateSolidBrush(>)	2	NtCreateKey(>)	5	NtUserRegisterClassExWOW(>)	15
NtGdiInit(>)	1	NtGdiHfontCreate(>)	2	NtGdiGetStockObject(>)	5	NtQueryAttributesFile(>)	18
NtGdiQueryFontAssocInfo(>)	1	NtNotifyChangeKey(>)	2	NtQuerySection(>)	5	NtQuerySystemInformation(>)	18
NtGdiSelectBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtSetInformationThread(>)	5	NtOpenSection(>)	19
NtOpenEvent(>)	1	NtQueryDefaultLocale(>)	2	NtUserBuildHwndList(>)	5	NtContinue(>)	20
NtOpenKeyedEvent(>)	1	NtQueryInformationProcess(>)	2	NtUserGetProcessWindowStation(>)	5	NtMapViewOfSection(>)	21
NtOpenMutant(>)	1	NtQueryVirtualMemory(>)	2	NtCreateSection(>)	6	NtWaitForSingleObject(>)	21
NtOpenSymbolicLinkObject(>)	1	NtTerminateProcess(>)	2	NtSetValueKey(>)	6	NtFreeVirtualMemory(>)	25
NtQueryObject(>)	1	NtUnmapViewOfSection(>)	2	NtQueryVolumeInformationFile(>)	7	NtReleaseMutant(>)	38
NtQueryPerformanceCounter(>)	1	NtUserCloseDesktop(>)	2	NtRequestWaitReplyPort(>)	7	NtOpenKey(>)	57
NtQuerySymbolicLinkObject(>)	1	NtUserGetObjectInformation(>)	2	NtOpenProcessTokenEx(>)	8	NtClose(>)	86
NtRegisterThreadTerminatePort(>)	1	NtCreateEvent(>)	3	NtOpenThreadTokenEx(>)	8	NtAllocateVirtualMemory(>)	99
NtSecureConnectPort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtProtectVirtualMemory(>)	8	NtQueryValueKey(>)	99
NtTestAlert(>)	1	NtGdiDeleteObjectApp(>)	3	NtSetInformationFile(>)	8	NtUserQueryWindow(>)	132