Summary:


NtCallbackReturn(>)  1 
NtUserGetImeInfoEx(>)  1 
NtUserGetObjectInformation(>)  4 
NtDeviceIoControlFile(>)  16 

NtCreateProcessEx(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserMessageCall(>)  4 
NtCreateEvent(>)  17 

NtCreateSemaphore(>)  1 
NtUserSetCursor(>)  1 
NtUserRemoveProp(>)  4 
NtRequestWaitReplyPort(>)  18 

NtCreateThread(>)  1 
NtUserSetProp(>)  1 
NtDuplicateObject(>)  5 
NtWaitForSingleObject(>)  18 

NtGdiCreateBitmap(>)  1 
NtUserSetWindowLong(>)  1 
NtGdiGetStockObject(>)  5 
NtUserCallOneParam(>)  20 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserUpdateInputContext(>)  1 
NtReadFile(>)  5 
NtQuerySection(>)  21 

NtGdiGetTextCharsetInfo(>)  1 
NtAccessCheck(>)  2 
NtSetInformationFile(>)  5 
NtQueryDirectoryFile(>)  24 

NtGdiGetTextFaceW(>)  1 
NtConnectPort(>)  2 
NtUserBuildHwndList(>)  5 
NtCreateFile(>)  26 

NtGdiGetTextMetricsW(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteVirtualMemory(>)  5 
NtOpenSection(>)  27 

NtGdiGetWidthTable(>)  1 
NtDuplicateToken(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtQueryDebugFilterState(>)  29 

NtGdiInit(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFsControlFile(>)  7 
NtOpenProcessTokenEx(>)  36 

NtGdiQueryFontAssocInfo(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryInformationFile(>)  7 
NtOpenThreadTokenEx(>)  36 

NtGdiSelectBitmap(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserGetDC(>)  7 
NtQueryVirtualMemory(>)  39 

NtLockVirtualMemory(>)  1 
NtQueryPerformanceCounter(>)  2 
NtWaitForMultipleObjects(>)  7 
NtQueryInformationToken(>)  47 

NtOpenEvent(>)  1 
NtTerminateProcess(>)  2 
NtEnumerateKey(>)  8 
NtSetInformationProcess(>)  49 

NtOpenKeyedEvent(>)  1 
NtUserCloseWindowStation(>)  2 
NtOpenProcessToken(>)  8 
NtQueryDefaultLocale(>)  60 

NtOpenMutant(>)  1 
NtUserPostThreadMessage(>)  2 
NtOpenThreadToken(>)  8 
NtQueryInformationProcess(>)  64 

NtQueryInstallUILanguage(>)  1 
NtUserSetWindowFNID(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUnmapViewOfSection(>)  64 

NtQueryObject(>)  1 
NtUserSetWindowsHookEx(>)  2 
NtSetValueKey(>)  8 
NtCreateSection(>)  69 

NtQuerySystemTime(>)  1 
NtUserUnhookWindowsHookEx(>)  2 
NtUserSystemParametersInfo(>)  8 
NtOpenFile(>)  70 

NtRegisterThreadTerminatePort(>)  1 
NtGdiHfontCreate(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  77 

NtResumeThread(>)  1 
NtOpenDirectoryObject(>)  3 
NtCreateMutant(>)  10 
NtQuerySystemInformation(>)  78 

NtSecureConnectPort(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  88 

NtTestAlert(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtFreeVirtualMemory(>)  11 
NtQueryAttributesFile(>)  99 

NtUserBuildNameList(>)  1 
NtReadVirtualMemory(>)  3 
NtUserFindExistingCursorIcon(>)  11 
NtFlushInstructionCache(>)  121 

NtUserCallHwndParam(>)  1 
NtSetEvent(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  139 

NtUserCloseDesktop(>)  1 
NtSetInformationObject(>)  3 
NtReleaseMutant(>)  12 
NtUserQueryWindow(>)  160 

NtUserCreateWindowEx(>)  1 
NtUserGetThreadDesktop(>)  3 
NtUserGetWindowDC(>)  12 
NtOpenKey(>)  222 

NtUserGetAtomName(>)  1 
NtUserOpenDesktop(>)  3 
NtUserRegisterWindowMessage(>)  13 
NtProtectVirtualMemory(>)  243 

NtUserGetClassName(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtContinue(>)  15 
NtQueryValueKey(>)  243 

NtUserGetForegroundWindow(>)  1 
NtGdiDeleteObjectApp(>)  4 
NtSetInformationThread(>)  15 
NtClose(>)  384 

NtUserGetGUIThreadInfo(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtUserRegisterClassExWOW(>)  15 

Trace:
 00001  1036   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1036   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1036   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1036   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1036   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1036   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1036   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1036   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1036   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1036   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1036   NtClose  (12, ... ) == 0x0
 00015  1036   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1036   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1036   NtClose  (16, ... ) == 0x0
 00021  1036   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1036   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1036   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1036   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1036   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1036   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1036   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1036   NtClose  (16, ... ) == 0x0
 00030  1036   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1036   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1036   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1036   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1036   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1248, 1036, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1248, 1036, 57957, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1248, 1036, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1036   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1036   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1036   NtClose  (16, ... ) == 0x0
 00041  1036   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1036   NtClose  (16, ... ) == 0x0
 00044  1036   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1036   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1036   NtClose  (16, ... ) == 0x0
 00048  1036   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1036   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1036   NtClose  (16, ... ) == 0x0
 00052  1036   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1036   NtClose  (16, ... ) == 0x0
 00055  1036   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1036   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1036   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1036   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1036   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1248, 1036, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1248, 1036, 57958, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1248, 1036, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1036   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1248, 1036, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1248, 1036, 57959, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1248, 1036, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 128, ) == 0x0
 00062  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 128, ... (0x46b000), 151552, 4, ) == 0x0
 00063  1036   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00064  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065  1036   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067  1036   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ws2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ws2_32.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071  1036   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072  1036   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073  1036   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074  1036   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076  1036   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077  1036   NtClose  (36, ... ) == 0x0
 00078  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080  1036   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081  1036   NtClose  (36, ... ) == 0x0
 00082  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083  1036   NtClose  (32, ... ) == 0x0
 00084  1036   NtClose  (16, ... ) == 0x0
 00085  1036   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086  1036   NtClose  (28, ... ) == 0x0
 00087  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088  1036   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089  1036   NtClose  (28, ... ) == 0x0
 00090  1036   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091  1036   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092  1036   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093  1036   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094  1036   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095  1036   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101  1036   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102  1036   NtClose  (28, ... ) == 0x0
 00103  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104  1036   NtClose  (16, ... ) == 0x0
 00105  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107  1036   NtClose  (16, ... ) == 0x0
 00108  1036   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109  1036   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110  1036   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113  1036   NtClose  (16, ... ) == 0x0
 00114  1036   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115  1036   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116  1036   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117  1036   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118  1036   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119  1036   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120  1036   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121  1036   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122  1036   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123  1036   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124  1036   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125  1036   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126  1036   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127  1036   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128  1036   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129  1036   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130  1036   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131  1036   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 64, ) == 0x0
 00133  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 64, ... (0x46b000), 151552, 4, ) == 0x0
 00134  1036   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00135  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00136  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00137  1036   NtClose  (16, ... ) == 0x0
 00138  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00139  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00140  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00141  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00142  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00143  1036   NtClose  (16, ... ) == 0x0
 00144  1036   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00145  1036   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00146  1036   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00147  1036   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00148  1036   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00149  1036   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00150  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00151  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00152  1036   NtClose  (16, ... ) == 0x0
 00153  1036   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00154  1036   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00155  1036   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00156  1036   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00157  1036   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00158  1036   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00159  1036   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00160  1036   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00161  1036   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00162  1036   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00163  1036   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00164  1036   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00165  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00166  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00167  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00168  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00169  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00170  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00171  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00172  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00173  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00174  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00175  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00176  1036   NtClose  (16, ... ) == 0x0
 00177  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00178  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00179  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00180  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00181  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00182  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00183  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00184  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00185  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00186  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00187  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00188  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00189  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00190  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00191  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00192  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00193  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00194  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00195  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00196  1036   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00197  1036   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00198  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00199  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00200  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00201  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00202  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00203  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00204  1036   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00205  1036   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00206  1036   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00207  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 64, ) == 0x0
 00208  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 64, ... (0x46b000), 151552, 4, ) == 0x0
 00209  1036   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00210  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 64, ) == 0x0
 00211  1036   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 64, ... (0x46b000), 151552, 4, ) == 0x0
 00212  1036   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00213  1036   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00214  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00215  1036   NtReadFile  (16, 0, 0, 0, 4, {260092, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {260092, 0}, 0, ... {status=0x0, info=4}, "\0\0\0\0", ) , ) == 0x0
 00216  1036   NtReadFile  (16, 0, 0, 0, 8, {260084, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {260084, 0}, 0, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00217  1036   NtReadFile  (16, 0, 0, 0, 4, {0, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {0, 0}, 0, ... {status=0x0, info=4}, "MZ\220\0", ) , ) == 0x0
 00218  1036   NtClose  (16, ... ) == 0x0
 00219  1036   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00220  1036   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00221  1036   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00222  1036   NtClose  (16, ... ) == 0x0
 00223  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224  1036   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225  1036   NtClose  (16, ... ) == 0x0
 00226  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00227  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00228  1036   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00229  1036   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00230  1036   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00231  1036   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00232  1036   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00233  1036   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00234  1036   NtClose  (16, ... ) == 0x0
 00235  1036   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00236  1036   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00237  1036   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00238  1036   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00239  1036   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00240  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00243  1036   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00244  1036   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00245  1036   NtClose  (16, ... ) == 0x0
 00246  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00247  1036   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248  1036   NtClose  (16, ... ) == 0x0
 00249  1036   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00250  1036   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00251  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00255  1036   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00256  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00258  1036   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1248, 1036, 57960, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1248, 1036, 57960, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1248, 1036, 57960, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00259  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00260  1036   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1036   NtClose  (28, ... ) == 0x0
 00262  1036   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00263  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00264  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00265  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00266  1036   NtClose  (28, ... ) == 0x0
 00267  1036   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00268  1036   NtClose  (32, ... ) == 0x0
 00269  1036   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00270  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00271  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00272  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00273  1036   NtClose  (32, ... ) == 0x0
 00274  1036   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00275  1036   NtClose  (28, ... ) == 0x0
 00276  1036   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00277  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00278  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00279  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00280  1036   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00281  1036   NtClose  (28, ... ) == 0x0
 00282  1036   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00283  1036   NtClose  (32, ... ) == 0x0
 00284  1036   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00285  1036   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00286  1036   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00287  1036   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00288  1036   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00289  1036   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00290  1036   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00291  1036   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00292  1036   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00293  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1036   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00296  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00297  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00303  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00305  1036   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306  1036   NtClose  (32, ... ) == 0x0
 00307  1036   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x570000), 0x0, 1060864, ) == 0x0
 00308  1036   NtClose  (-2147482740, ... ) == 0x0
 00309  1036   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00310  1036   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00311  1036   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00312  1036   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00313  1036   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00314  1036   NtClose  (-2147482740, ... ) == 0x0
 00315  1036   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00316  1036   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00317  1036   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00318  1036   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00319  1036   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320  1036   NtClose  (-2147482740, ... ) == 0x0
 00321  1036   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00322  1036   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00323  1036   NtClose  (-2147482740, ... ) == 0x0
 00324  1036   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00325  1036   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00326  1036   NtUserCallNoParam  (24, ... ) == 0x0
 00327  1036   NtGdiCreateCompatibleDC  (0, ...
 00328  1036   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00327  1036   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00329  1036   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00330  1036   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00331  1036   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00332  1036   NtGdiCreateSolidBrush  (0, 0, ...
 00333  1036   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00332  1036   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00334  1036   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00335  1036   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00336  1036   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00337  1036   NtUserGetThreadDesktop  (1036, 0, ... ) == 0x24
 00338  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00339  1036   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00340  1036   NtClose  (44, ... ) == 0x0
 00341  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00342  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x816ec017
 00343  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00344  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x816ec01c
 00345  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00346  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x816ec01e
 00347  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00348  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x816e8002
 00349  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00350  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x816ec018
 00351  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00352  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x816ec01a
 00353  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00354  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x816ec01d
 00355  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00356  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x816ec026
 00357  1036   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00358  1036   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x816ec019
 00359  1036   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x816ec020
 00360  1036   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x816ec022
 00361  1036   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x816ec023
 00362  1036   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x816ec024
 00363  1036   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x816ec025
 00364  1036   NtCallbackReturn  (0, 0, 0, ...
 00365  1036   NtGdiInit  (... ) == 0x1
 00366  1036   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00367  1036   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00368  1036   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00369  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00370  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\216\252L\356\210KEI\223\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00371  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00372  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00373  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00374  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00375  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00376  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00377  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00378  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00379  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "g\44\325\210^\314\247\331\320\244k\11?T\310\276\302\356\260\245\227@(b?A\365qJ\224\266\366u\313\177\251C\373Wj:o\213a\14kW\13\273"d7Dl\272\342\366`\207\223\232\265\220jF\4\320\250\326\320\336r\220\361\337\361c\256\214", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "g\44\325\210^\314\247\331\320\244k\11?T\310\276\302\356\260\245\227@(b?A\365qJ\224\266\366u\313\177\251C\373Wj:o\213a\14kW\13\273"d7Dl\272\342\366`\207\223\232\265\220jF\4\320\250\326\320\336r\220\361\337\361c\256\214", 80, ... ) d7Dl\272\342\366`\207\223\232\265\220jF\4\320\250\326\320\336r\220\361\337\361c\256\214", 80, ... ) == 0x0
 00380  1036   NtClose  (-2147482740, ... ) == 0x0
 00370  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\17\211\350\222\357\312\257m\363\177\236\336\n\207mk"\233+\220R5h\337\303\15\267\245\2771\27\27\365\17\265\3366 \216\321\260#\242\217\321\323\364=P\356\241\307\331\205\322\3177\25\201\3451\6+\32\257\324\243-\231nu2\33\340g\17/\323\377O7J\15"\214iZ\37\304\360\367\214\355xJ\305\245\354\256\266\27=\244\233F\253\27\233\35i\375\323c<\11\l\255\5\0%I\2002Q\36\35\12nZ\327\312j.1YM\274\216\311\314\246p\251~\3.`\266\266\226\354J\276\215\257\26\13i\233\231\311\373:q[\244?\M\366.*\15O^\361\32\226\301\331\22Z\305\244\265\244a'\304\226\306O8\242\14\35S?\224UT\201\0\20\0\260\300\230 \347\313fD\336\177d\374W\362[\255(\27Q\304trB-\252\206eG\31\200\270\362\310E\\25\240\232\346\300s\305)\354\254\347\277M", ) \233+\220R5h\337\303\15\267\245\2771\27\27\365\17\265\3366 \216\321\260#\242\217\321\323\364=P\356\241\307\331\205\322\3177\25\201\3451\6+\32\257\324\243-\231nu2\33\340g\17/\323\377O7J\15 ... {status=0x0, info=256}, "\17\211\350\222\357\312\257m\363\177\236\336\n\207mk"\233+\220R5h\337\303\15\267\245\2771\27\27\365\17\265\3366 \216\321\260#\242\217\321\323\364=P\356\241\307\331\205\322\3177\25\201\3451\6+\32\257\324\243-\231nu2\33\340g\17/\323\377O7J\15"\214iZ\37\304\360\367\214\355xJ\305\245\354\256\266\27=\244\233F\253\27\233\35i\375\323c<\11\l\255\5\0%I\2002Q\36\35\12nZ\327\312j.1YM\274\216\311\314\246p\251~\3.`\266\266\226\354J\276\215\257\26\13i\233\231\311\373:q[\244?\M\366.*\15O^\361\32\226\301\331\22Z\305\244\265\244a'\304\226\306O8\242\14\35S?\224UT\201\0\20\0\260\300\230 \347\313fD\336\177d\374W\362[\255(\27Q\304trB-\252\206eG\31\200\270\362\310E\\25\240\232\346\300s\305)\354\254\347\277M", ) , ) == 0x0
 00381  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00382  1036   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00383  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00384  1036   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00385  1036   NtClose  (48, ... ) == 0x0
 00386  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00387  1036   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388  1036   NtClose  (48, ... ) == 0x0
 00389  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00390  1036   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00391  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00392  1036   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00393  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00394  1036   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395  1036   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00396  1036   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00397  1036   NtClose  (48, ... ) == 0x0
 00398  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00399  1036   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400  1036   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401  1036   NtClose  (48, ... ) == 0x0
 00402  1036   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00403  1036   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404  1036   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00405  1036   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406  1036   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407  1036   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408  1036   NtTestAlert  (... ) == 0x0
 00409  1036   NtContinue  (1244464, 1, ...
 00410  1036   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00411  1036   NtAllocateVirtualMemory  (-1, 0, 0, 278528, 4096, 64, ... 3538944, 278528, ) == 0x0
 00412  1036   NtAllocateVirtualMemory  (-1, 0, 0, 278528, 4096, 64, ... 3866624, 278528, ) == 0x0
 00413  1036   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 278528, ) == 0x0
 00414  1036   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3538944, 4096, ) == 0x0
 00415  1036   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00416  1036   NtAllocateVirtualMemory  (-1, 0, 0, 208384, 4096, 4, ... 3538944, 208896, ) == 0x0
 00417  1036   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 208896, ) == 0x0
 00418  1036   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3538944, 4096, ) == 0x0
 00419  1036   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00420  1036   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00421  1036   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00422  1036   NtAllocateVirtualMemory  (-1, 0, 0, 10752, 4096, 4, ... 3538944, 12288, ) == 0x0
 00423  1036   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 12288, ) == 0x0
 00424  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00425  1036   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00426  1036   NtClose  (52, ... ) == 0x0
 00427  1036   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00428  1036   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00429  1036   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00430  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00432  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00433  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == 0x0
 00434  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00435  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00436  1036   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00437  1036   NtClose  (52, ... ) == 0x0
 00438  1036   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00439  1036   NtClose  (56, ... ) == 0x0
 00440  1036   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00441  1036   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00442  1036   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00443  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444  1036   NtQueryPerformanceCounter  (... {924254384, 10}, {3579545, 0}, ) == 0x0
 00445  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00446  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00447  1036   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00448  1036   NtClose  (56, ... ) == 0x0
 00449  1036   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00450  1036   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00451  1036   NtOpenKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00452  1036   NtOpenKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00453  1036   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00454  1036   NtQueryInformationToken  (52, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00455  1036   NtClose  (52, ... ) == 0x0
 00456  1036   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00457  1036   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00458  1036   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9961472, 1048576, ) == 0x0
 00459  1036   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00460  1036   NtAllocateVirtualMemory  (-1, 9961472, 0, 16384, 4096, 4, ... 9961472, 16384, ) == 0x0
 00461  1036   NtUserCallNoParam  (29, ...
 00462  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 00463  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00464  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00465  1036   NtClose  (52, ... ) == 0x0
 00466  1036   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 221184, ) == 0x0
 00467  1036   NtClose  (60, ... ) == 0x0
 00468  1036   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00469  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242532, ... ) }, 1242532, ... ) == 0x0
 00470  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00471  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00472  1036   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00473  1036   NtClose  (60, ... ) == 0x0
 00474  1036   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00475  1036   NtClose  (52, ... ) == 0x0
 00476  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00477  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00478  1036   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00479  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00480  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00481  1036   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00482  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00483  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00484  1036   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00485  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00486  1036   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00487  1036   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00488  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00490  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00491  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00492  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00493  1036   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00494  1036   NtClose  (52, ... ) == 0x0
 00495  1036   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00496  1036   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00497  1036   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498  1036   NtClose  (60, ... ) == 0x0
 00499  1036   NtClose  (52, ... ) == 0x0
 00500  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00501  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00502  1036   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00503  1036   NtClose  (52, ... ) == 0x0
 00504  1036   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00505  1036   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00506  1036   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00507  1036   NtClose  (60, ... ) == 0x0
 00508  1036   NtClose  (52, ... ) == 0x0
 00509  1036   NtUserGetProcessWindowStation  (... ) == 0x1c
 00510  1036   NtUserGetObjectInformation  (28, 2, 1244320, 64, 1244316, ... ) == 0x1
 00511  1036   NtUserGetGUIThreadInfo  (1036, 1244340, ... ) == 0x1
 00512  1036   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 52, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 52, 0x0, 0x0, 0x0, 64, ) == 0x0
 00513  1036   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1248, 1036, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1248, 1036, 57968, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1248, 1036, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00514  1036   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1248, 1036, 57969, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1248, 1036, 57969, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1248, 1036, 57969, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00515  1036   NtUserCallNoParam  (29, ...
 00516  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 00515  1036   NtUserCallNoParam  ... ) == 0x0
 00517  1036   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00518  1036   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333048, ... ) == 0x330a04e1
 00519  1036   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333040, ... ) == 0x520a0634
 00520  1036   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1248, 1036, 57970, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1248, 1036, 57970, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1248, 1036, 57970, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00521  1036   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 327680, ) == 0x0
 00522  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00523  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00524  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00525  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00526  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00527  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00528  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00529  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00530  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00531  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00532  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00533  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00534  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00535  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00536  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00537  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00538  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00539  1036   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00540  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00541  1036   NtUserCallNoParam  (29, ...
 00542  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241020, ... ) }, 1241020, ... ) == 0x0
 00541  1036   NtUserCallNoParam  ... ) == 0x0
 00543  1036   NtUserCallNoParam  (29, ...
 00544  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00543  1036   NtUserCallNoParam  ... ) == 0x0
 00461  1036   NtUserCallNoParam  ... ) == 0x1
 00545  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00546  1036   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00547  1036   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00548  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00549  1036   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Protocol_Catalog9"}, ... 72, ) }, ... 72, ) == 0x0
 00550  1036   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551  1036   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00552  1036   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00553  1036   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554  1036   NtQueryValueKey  (72,  (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00555  1036   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00556  1036   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00557  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00558  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00559  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00560  1036   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00561  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\02\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\02\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\03\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\24\0\0\0\24\0\0\0\0\360\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\360\375\177\6\0\0\0\4=\264\367\224\377\22\0\1\0\0\0\340\377\22\0d\222@\0\30\321@\0\0\0\0\0\360\377\22\0\327o\201|\24\0\0\0\0\0\0\0\0\360\375\177\375?T\200\310\377\22\0P$t\201\377\377\377\377\250\232\203|\340o\201|\0\0\0\0\0\0\0\0\0\0\0\0\206m@\0\0\0\0\0Actx \0\0\0\1\0\0\0\230$\0\0\304\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\24\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\02\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\02\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\03\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\24\0\0\0\24\0\0\0\0\360\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\360\375\177\6\0\0\0\4=\264\367\224\377\22\0\1\0\0\0\340\377\22\0d\222@\0\30\321@\0\0\0\0\0\360\377\22\0\327o\201|\24\0\0\0\0\0\0\0\0\360\375\177\375?T\200\310\377\22\0P$t\201\377\377\377\377\250\232\203|\340o\201|\0\0\0\0\0\0\0\0\0\0\0\0\206m@\0\0\0\0\0Actx \0\0\0\1\0\0\0\230$\0\0\304\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\24\0\0\0"}, 900, ) }, 900, ) == 0x0
 00562  1036   NtClose  (80, ... ) == 0x0
 00563  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00564  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00565  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00566  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\07\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\07\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\08\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\07\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\07\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\08\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\07\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\07\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\08\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00567  1036   NtClose  (80, ... ) == 0x0
 00568  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00569  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00570  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00571  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0<\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0<\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0=\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0<\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0<\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0=\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0<\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0<\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0=\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00572  1036   NtClose  (80, ... ) == 0x0
 00573  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000004"}, ... 80, ) }, ... 80, ) == 0x0
 00574  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00575  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00576  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0A\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0A\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0B\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0A\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0A\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0B\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0A\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0A\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0B\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00577  1036   NtClose  (80, ... ) == 0x0
 00578  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000005"}, ... 80, ) }, ... 80, ) == 0x0
 00579  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00580  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00581  1036   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00582  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0G\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0H\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0G\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0H\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0G\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0H\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00583  1036   NtClose  (80, ... ) == 0x0
 00584  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000006"}, ... 80, ) }, ... 80, ) == 0x0
 00585  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00586  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00587  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0L\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0M\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0L\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0M\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0L\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0M\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00588  1036   NtClose  (80, ... ) == 0x0
 00589  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000007"}, ... 80, ) }, ... 80, ) == 0x0
 00590  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00591  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00592  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Q\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Q\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0R\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Q\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Q\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0R\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Q\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Q\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0R\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00593  1036   NtClose  (80, ... ) == 0x0
 00594  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000008"}, ... 80, ) }, ... 80, ) == 0x0
 00595  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00596  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00597  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0V\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0V\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0W\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0V\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0V\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0W\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0V\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0V\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0W\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00598  1036   NtClose  (80, ... ) == 0x0
 00599  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000009"}, ... 80, ) }, ... 80, ) == 0x0
 00600  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00601  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00602  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0[\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0[\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0^\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0[\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0[\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0^\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0^\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0[\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0[\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0]\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0^\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00603  1036   NtClose  (80, ... ) == 0x0
 00604  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000010"}, ... 80, ) }, ... 80, ) == 0x0
 00605  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00606  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00607  1036   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00608  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0a\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0a\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0b\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0a\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0a\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0b\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0a\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0a\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0b\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00609  1036   NtClose  (80, ... ) == 0x0
 00610  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000011"}, ... 80, ) }, ... 80, ) == 0x0
 00611  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00612  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00613  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0f\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0f\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0g\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0f\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0f\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0g\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0f\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0f\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0g\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00614  1036   NtClose  (80, ... ) == 0x0
 00615  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000012"}, ... 80, ) }, ... 80, ) == 0x0
 00616  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00617  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00618  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0k\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0k\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0l\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0k\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0k\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0l\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0k\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0k\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0l\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00619  1036   NtClose  (80, ... ) == 0x0
 00620  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000013"}, ... 80, ) }, ... 80, ) == 0x0
 00621  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00622  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00623  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0p\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0p\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0q\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0q\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0s\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0p\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0p\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0q\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0q\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0s\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0s\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0p\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0p\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0q\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0q\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0r\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0s\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00624  1036   NtClose  (80, ... ) == 0x0
 00625  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000014"}, ... 80, ) }, ... 80, ) == 0x0
 00626  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00627  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00628  1036   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00629  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0v\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0v\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0w\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0v\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0v\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0w\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0v\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0v\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0w\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00630  1036   NtClose  (80, ... ) == 0x0
 00631  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000015"}, ... 80, ) }, ... 80, ) == 0x0
 00632  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00633  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00634  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0{\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0{\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0|\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0{\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0{\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0|\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0{\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0{\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0|\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00635  1036   NtClose  (80, ... ) == 0x0
 00636  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000016"}, ... 80, ) }, ... 80, ) == 0x0
 00637  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00638  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00639  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\200\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\200\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\201\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\200\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\200\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\201\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\200\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\200\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\201\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00640  1036   NtClose  (80, ... ) == 0x0
 00641  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000017"}, ... 80, ) }, ... 80, ) == 0x0
 00642  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00643  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00644  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\205\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\205\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\206\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\205\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\205\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\206\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\205\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\205\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\206\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00645  1036   NtClose  (80, ... ) == 0x0
 00646  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000018"}, ... 80, ) }, ... 80, ) == 0x0
 00647  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00648  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00649  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\212\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\212\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\213\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\212\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\212\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\213\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\212\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\212\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\213\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00650  1036   NtClose  (80, ... ) == 0x0
 00651  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000019"}, ... 80, ) }, ... 80, ) == 0x0
 00652  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00653  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00654  1036   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00655  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\220\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\220\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\221\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\220\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\220\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\221\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\220\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\220\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\221\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00656  1036   NtClose  (80, ... ) == 0x0
 00657  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000020"}, ... 80, ) }, ... 80, ) == 0x0
 00658  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00659  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00660  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\225\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\225\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\226\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\225\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\225\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\226\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\225\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\225\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\226\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00661  1036   NtClose  (80, ... ) == 0x0
 00662  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000021"}, ... 80, ) }, ... 80, ) == 0x0
 00663  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00664  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00665  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\232\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\232\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\233\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\232\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\232\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\233\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\232\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\232\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\233\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\2\0\0\340\4\0\0\14\4\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00666  1036   NtClose  (80, ... ) == 0x0
 00667  1036   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000022"}, ... 80, ) }, ... 80, ) == 0x0
 00668  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00669  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00670  1036   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\237\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\237\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\240\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\2\0\0\340\4\0\0\14\4\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\2\0\0\340\4\0\0\14\4\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\242\2\0\0\340\4\0\0\14\4\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\242\2\0\0\340\4\0\0\14\4\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\243\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\237\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\237\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\240\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\2\0\0\340\4\0\0\14\4\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\2\0\0\340\4\0\0\14\4\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\242\2\0\0\340\4\0\0\14\4\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\242\2\0\0\340\4\0\0\14\4\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\243\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\237\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\237\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\240\2\0\0\340\4\0\0\14\4\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\2\0\0\340\4\0\0\14\4\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\2\0\0\340\4\0\0\14\4\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\242\2\0\0\340\4\0\0\14\4\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\242\2\0\0\340\4\0\0\14\4\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\243\2\0\0\340\4\0\0\14\4\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00671  1036   NtClose  (80, ... ) == 0x0
 00672  1036   NtClose  (76, ... ) == 0x0
 00673  1036   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00674  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00675  1036   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 80, ) }, ... 80, ) == 0x0
 00676  1036   NtQueryValueKey  (80,  (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00677  1036   NtNotifyChangeKey  (80, 76, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00678  1036   NtQueryValueKey  (80,  (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00679  1036   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680  1036   NtQueryValueKey  (80,  (80, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00681  1036   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Catalog_Entries"}, ... 84, ) }, ... 84, ) == 0x0
 00682  1036   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000001"}, ... 88, ) }, ... 88, ) == 0x0
 00683  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00684  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00685  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00686  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00687  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00688  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00689  1036   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00690  1036   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00691  1036   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00692  1036   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00693  1036   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00694  1036   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00695  1036   NtClose  (88, ... ) == 0x0
 00696  1036   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000002"}, ... 88, ) }, ... 88, ) == 0x0
 00697  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00698  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00699  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00700  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00701  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00702  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00703  1036   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00704  1036   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705  1036   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00706  1036   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00707  1036   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00708  1036   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00709  1036   NtClose  (88, ... ) == 0x0
 00710  1036   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00711  1036   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000003"}, ... 88, ) }, ... 88, ) == 0x0
 00712  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00713  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00714  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00715  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00716  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00717  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00718  1036   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00719  1036   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00720  1036   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00721  1036   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00722  1036   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00723  1036   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00724  1036   NtClose  (88, ... ) == 0x0
 00725  1036   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000004"}, ... 88, ) }, ... 88, ) == 0x0
 00726  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00727  1036   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00728  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00729  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00730  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00731  1036   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00732  1036   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00733  1036   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00734  1036   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00735  1036   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00736  1036   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00737  1036   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00738  1036   NtClose  (88, ... ) == 0x0
 00739  1036   NtClose  (84, ... ) == 0x0
 00740  1036   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x102
 00741  1036   NtClose  (64, ... ) == 0x0
 00742  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00743  1036   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00744  1036   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00745  1036   NtQueryValueKey  (64,  (64, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00746  1036   NtClose  (64, ... ) == 0x0
 00747  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 64, ) == 0x0
 00748  1036   NtAllocateVirtualMemory  (-1, 9977856, 0, 81920, 4096, 4, ... 9977856, 81920, ) == 0x0
 00749  1036   NtLockVirtualMemory  (-1, (0x980440), 65536, 1, ... (0x980000), 69632, ) == 0x0
 00750  1036   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 84, ) == 0x0
 00751  1036   NtQueryVirtualMemory  (-1, 0x3df666, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00752  1036   NtContinue  (1244328, 0, ...
 00753  1036   NtFreeVirtualMemory  (-1, (0x994000), 16384, 16384, ... (0x994000), 16384, ) == 0x0
 00754  1036   NtQueryVirtualMemory  (-1, 0x3deb09, Basic, 28, ... {BaseAddress=0x3de000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x16000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00755  1036   NtContinue  (1244016, 0, ...
 00756  1036   NtAllocateVirtualMemory  (-1, 10043392, 0, 32768, 4096, 4, ... 10043392, 32768, ) == 0x0
 00757  1036   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 11010048, 4096, ) == 0x0
 00758  1036   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 11075584, 4096, ) == 0x0
 00759  1036   NtAllocateVirtualMemory  (-1, 0, 0, 37, 4096, 64, ... 11141120, 4096, ) == 0x0
 00760  1036   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 11206656, 4096, ) == 0x0
 00761  1036   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 11272192, 4096, ) == 0x0
 00762  1036   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 11337728, 4096, ) == 0x0
 00763  1036   NtAllocateVirtualMemory  (-1, 0, 0, 30, 4096, 64, ... 11403264, 4096, ) == 0x0
 00764  1036   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 11468800, 4096, ) == 0x0
 00765  1036   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 11534336, 4096, ) == 0x0
 00766  1036   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 11599872, 4096, ) == 0x0
 00767  1036   NtAllocateVirtualMemory  (-1, 0, 0, 41, 4096, 64, ... 11665408, 4096, ) == 0x0
 00768  1036   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 11730944, 4096, ) == 0x0
 00769  1036   NtAllocateVirtualMemory  (-1, 0, 0, 31, 4096, 64, ... 11796480, 4096, ) == 0x0
 00770  1036   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 11862016, 4096, ) == 0x0
 00771  1036   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 11927552, 4096, ) == 0x0
 00772  1036   NtAllocateVirtualMemory  (-1, 0, 0, 26, 4096, 64, ... 11993088, 4096, ) == 0x0
 00773  1036   NtAllocateVirtualMemory  (-1, 0, 0, 318, 4096, 64, ... 12058624, 4096, ) == 0x0
 00774  1036   NtQueryVirtualMemory  (-1, 0x3ded53, Basic, 28, ... {BaseAddress=0x3de000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x16000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00775  1036   NtContinue  (1244016, 0, ...
 00776  1036   NtFreeVirtualMemory  (-1, (0x994000), 32768, 16384, ... (0x994000), 32768, ) == 0x0
 00777  1036   NtQueryVirtualMemory  (-1, 0x3df23a, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00778  1036   NtContinue  (1244016, 0, ...
 00779  1036   NtAllocateVirtualMemory  (-1, 10043392, 0, 32768, 4096, 4, ... 10043392, 32768, ) == 0x0
 00780  1036   NtQueryVirtualMemory  (-1, 0x3c4409, Basic, 28, ... {BaseAddress=0x3c4000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x30000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00781  1036   NtQueryVirtualMemory  (-1, 0x3df60e, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00782  1036   NtQueryVirtualMemory  (-1, 0x3df854, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00783  1036   NtContinue  (1242888, 0, ...
 00784  1036   NtUserFindExistingCursorIcon  (1242844, 1242860, 1242908, ... ) == 0x10015
 00785  1036   NtUserSetCursor  (65557, ... ) == 0x10015
 00786  1036   NtGdiCreateCompatibleDC  (0, ... ) == 0x6e0106ed
 00787  1036   NtGdiGetTextCharsetInfo  (1845561069, 0, 0, ... ) == 0x0
 00788  1036   NtGdiHfontCreate  (1242600, 356, 0, 0, 1333032, ... ) == 0x3c0a056c
 00789  1036   NtGdiGetTextMetricsW  (1845561069, 1242916, 68, ... ) == 0x1
 00790  1036   NtGdiGetTextFaceW  (1845561069, 32, 1243224, 1, ... ) == 0xe
 00791  1036   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00792  1036   NtGdiGetWidthTable  (1845561069, 52, 1367776, 308, 1368392, 1367144, 1367160, ... ) == 0x1
 00793  1036   NtGdiDeleteObjectApp  (1845561069, ... ) == 0x1
 00794  1036   NtUserGetForegroundWindow  (... ) == 0x70104
 00795  1036   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00796  1036   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 00797  1036   NtUserGetAtomName  (32770, 1242104, ... ) == 0x6
 00798  1036   NtUserCreateWindowEx  (-2147417855, 32770, 32770,  (-2147417855, 32770, 32770, " ", 13240516, 284, 271, 456, 195, 0, 0, 0, 0, 1073742848, 0, ... , 13240516, 284, 271, 456, 195, 0, 0, 0, 0, 1073742848, 0, ...
 00799  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1239580, ... ) }, 1239580, ... ) == 0x0
 00800  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00801  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 92, ) == 0x0
 00802  1036   NtClose  (88, ... ) == 0x0
 00803  1036   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 294912, ) == 0x0
 00804  1036   NtClose  (92, ... ) == 0x0
 00805  1036   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 00806  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1239888, ... ) }, 1239888, ... ) == 0x0
 00807  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00808  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00809  1036   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00810  1036   NtClose  (92, ... ) == 0x0
 00811  1036   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0
 00812  1036   NtClose  (88, ... ) == 0x0
 00813  1036   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00814  1036   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00815  1036   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00816  1036   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00817  1036   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00818  1036   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00819  1036   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00820  1036   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00821  1036   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00822  1036   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00823  1036   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00824  1036   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00825  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1237244, ... ) }, 1237244, ... ) == 0x0
 00827  1036   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00828  1036   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00829  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1
 00830  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2
 00831  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3
 00832  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadItemChange", ... ) , ... ) == 0xc0a4
 00833  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5
 00834  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6
 00835  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7
 00836  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.CheckThreadInputIdel", ... ) , ... ) == 0xc0a8
 00837  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9
 00838  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ShowFloating", ... ) , ... ) == 0xc0aa
 00839  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab
 00840  1036   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac
 00841  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 1237252, ... ) }, 1237252, ... ) == 0x0
 00842  1036   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3998, 1239644, 0, 0}  (24, {24, 52, new_msg, 0, 3998, 1239644, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\14\4\0\0\0\0\0\0" ... {24, 52, reply, 0, 1248, 1036, 57973, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\14\4\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 1248, 1036, 57973, 0}  (24, {24, 52, new_msg, 0, 3998, 1239644, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\14\4\0\0\0\0\0\0" ... {24, 52, reply, 0, 1248, 1036, 57973, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\14\4\0\0\0\0\0\0" )  ) == 0x0
 00843  1036   NtUserGetThreadDesktop  (1036, 0, ... ) == 0x24
 00844  1036   NtUserGetObjectInformation  (36, 2, 1318544, 520, 1239552, ... ) == 0x1
 00845  1036   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00846  1036   NtQueryInformationToken  (88, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00847  1036   NtQueryInformationToken  (88, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 00848  1036   NtClose  (88, ... ) == 0x0
 00849  1036   NtCreateSection  (0xf0007, {24, 48, 0x80, 0, 0,  (0xf0007, {24, 48, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 88, ) }, {3240, 0}, 4, 134217728, 0, ... 88, ) == STATUS_OBJECT_NAME_EXISTS
 00850  1036   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xb90000), {0, 0}, 4096, ) == 0x0
 00851  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 92, ) }, ... 92, ) == 0x0
 00853  1036   NtQueryValueKey  (92,  (92, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00854  1036   NtClose  (92, ... ) == 0x0
 00855  1036   NtUserFindExistingCursorIcon  (1239084, 1239100, 1239148, ... ) == 0x10011
 00856  1036   NtUserRegisterClassExWOW  (1239356, 1239452, 1239436, 1239424, 0, 386, 0, ... ) == 0x816ec0ad
 00857  1036   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 92, ) }, 0, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00858  1036   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 96, ) }, 0, ... 96, ) == STATUS_OBJECT_NAME_EXISTS
 00859  1036   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 100, ) }, 0, ... 100, ) == STATUS_OBJECT_NAME_EXISTS
 00860  1036   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 104, ) }, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 00861  1036   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 108, ) }, 0, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00862  1036   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 112, ) }, ... 112, ) == 0x0
 00863  1036   NtQueryValueKey  (112,  (112, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864  1036   NtQueryValueKey  (112,  (112, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865  1036   NtQueryValueKey  (112,  (112, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866  1036   NtClose  (112, ... ) == 0x0
 00867  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 1237072, ... ) }, 1237072, ... ) == 0x0
 00868  1036   NtQueryDefaultUILanguage  (1239632, ...
 00869  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00870  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00871  1036   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00872  1036   NtClose  (-2147482740, ... ) == 0x0
 00873  1036   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00874  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00876  1036   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877  1036   NtClose  (-2147481328, ... ) == 0x0
 00878  1036   NtClose  (-2147482740, ... ) == 0x0
 00868  1036   NtQueryDefaultUILanguage  ... ) == 0x0
 00879  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... 112, ) }, ... 112, ) == 0x0
 00880  1036   NtQueryValueKey  (112,  (112, "EnableAnchorContext", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881  1036   NtClose  (112, ... ) == 0x0
 00882  1036   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 112, ) }, 0, ... 112, ) == STATUS_OBJECT_NAME_EXISTS
 00883  1036   NtOpenSection  (0xf001f, {24, 48, 0x0, 0, 0,  (0xf001f, {24, 48, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 116, ) }, ... 116, ) == 0x0
 00884  1036   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xba0000), {0, 0}, 262144, ) == 0x0
 00885  1036   NtWaitForSingleObject  (112, 0, {-50000000, -1}, ... ) == 0x0
 00886  1036   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00887  1036   NtWaitForSingleObject  (112, 0, {-50000000, -1}, ... ) == 0x0
 00888  1036   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00889  1036   NtWaitForSingleObject  (112, 0, {-50000000, -1}, ... ) == 0x0
 00890  1036   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00891  1036   NtUserSetWindowsHookEx  (1953628160, 1241116, 1036, 2, 1953694283, 2, ... ) == 0xb0277
 00892  1036   NtUserSetWindowsHookEx  (1953628160, 1241116, 1036, 7, 1953693577, 2, ... ) == 0x601df
 00893  1036   NtUserSetWindowFNID  (655618, 676, ... ) == 0x1
 00894  1036   NtUserCallHwndParam  (655618, 1369820, 79, ... ) == 0x14e6dc
 00895  1036   NtUserMessageCall  (0xa0102, WM_NCCREATE, 0x0, 0x12f39c, 0, 670, 1, ... ) == 0x1
 00896  1036   NtUserSetWindowFNID  (590100, 681, ... ) == 0x1
 00897  1036   NtUserSetWindowLong  (590100, 0, 1368704, 0, ... ) == 0x0
 00898  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 120, ) }, ... 120, ) == 0x0
 00899  1036   NtQueryValueKey  (120,  (120, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (120, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 00900  1036   NtClose  (120, ... ) == 0x0
 00901  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00902  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00903  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238372, ... ) }, 1238372, ... ) == 0x0
 00904  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00905  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00906  1036   NtClose  (120, ... ) == 0x0
 00907  1036   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbe0000), 0x0, 180224, ) == 0x0
 00908  1036   NtClose  (124, ... ) == 0x0
 00909  1036   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00910  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237968, ... ) }, 1237968, ... ) == 0x0
 00911  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238712,  (0x80100080, {24, 0, 0x40, 0, 1238712, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00912  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 124, ... 120, ) == 0x0
 00913  1036   NtClose  (124, ... ) == 0x0
 00914  1036   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbe0000), {0, 0}, 180224, ) == 0x0
 00915  1036   NtClose  (120, ... ) == 0x0
 00916  1036   NtQueryDefaultUILanguage  (2090319928, ...
 00917  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00918  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00919  1036   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00920  1036   NtClose  (-2147482740, ... ) == 0x0
 00921  1036   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00922  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00924  1036   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925  1036   NtClose  (-2147481328, ... ) == 0x0
 00926  1036   NtClose  (-2147482740, ... ) == 0x0
 00916  1036   NtQueryDefaultUILanguage  ... ) == 0x0
 00927  1036   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00928  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00929  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00930  1036   NtQueryDefaultLocale  (1, 1239332, ... ) == 0x0
 00931  1036   NtQueryVirtualMemory  (-1, 0xbe0000, Basic, 28, ... {BaseAddress=0xbe0000,AllocationBase=0xbe0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00932  1036   NtQueryVirtualMemory  (-1, 0xbe0000, Basic, 28, ... {BaseAddress=0xbe0000,AllocationBase=0xbe0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00933  1036   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00934  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00935  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00936  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238364, ... ) }, 1238364, ... ) == 0x0
 00937  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00938  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00939  1036   NtClose  (120, ... ) == 0x0
 00940  1036   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbe0000), 0x0, 180224, ) == 0x0
 00941  1036   NtClose  (124, ... ) == 0x0
 00942  1036   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00943  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237960, ... ) }, 1237960, ... ) == 0x0
 00944  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238704,  (0x80100080, {24, 0, 0x40, 0, 1238704, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00945  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 124, ... 120, ) == 0x0
 00946  1036   NtClose  (124, ... ) == 0x0
 00947  1036   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbe0000), {0, 0}, 180224, ) == 0x0
 00948  1036   NtClose  (120, ... ) == 0x0
 00949  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00950  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00951  1036   NtQueryDefaultLocale  (1, 1239324, ... ) == 0x0
 00952  1036   NtQueryVirtualMemory  (-1, 0xbe0000, Basic, 28, ... {BaseAddress=0xbe0000,AllocationBase=0xbe0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00953  1036   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00954  1036   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 120, ) }, ... 120, ) == 0x0
 00955  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 00956  1036   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 124, ) }, ... 124, ) == 0x0
 00957  1036   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xbe0000), {0, 0}, 57344, ) == 0x0
 00958  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00959  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00960  1036   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00961  1036   NtClose  (128, ... ) == 0x0
 00962  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00964  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238344, ... ) }, 1238344, ... ) == 0x0
 00965  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00966  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 00967  1036   NtClose  (128, ... ) == 0x0
 00968  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 00969  1036   NtClose  (132, ... ) == 0x0
 00970  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 00971  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 00972  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00973  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00974  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00975  1036   NtClose  (132, ... ) == 0x0
 00976  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 00977  1036   NtClose  (128, ... ) == 0x0
 00978  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00979  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00980  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00981  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00982  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00983  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00984  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00985  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00986  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00987  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00988  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00989  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00990  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00991  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00992  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00993  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00994  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00995  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00996  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997  1036   NtUserGetDC  (0, ... ) == 0x1010052
 00998  1036   NtUserSystemParametersInfo  (66, 12, 1238840, 0, ... ) == 0x1
 00999  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01000  1036   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01001  1036   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01002  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01003  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01004  1036   NtContinue  (1237044, 0, ...
 01005  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01006  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01007  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01008  1036   NtUserMessageCall  (0x90114, WM_NCCREATE, 0x0, 0x12f388, 0, 670, 0, ... ) == 0x1
 01009  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01010  1036   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01011  1036   NtClose  (128, ... ) == 0x0
 01012  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01013  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01014  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238468, ... ) }, 1238468, ... ) == 0x0
 01015  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01016  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01017  1036   NtClose  (128, ... ) == 0x0
 01018  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01019  1036   NtClose  (132, ... ) == 0x0
 01020  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01021  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238064, ... ) }, 1238064, ... ) == 0x0
 01022  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238808,  (0x80100080, {24, 0, 0x40, 0, 1238808, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01023  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01024  1036   NtClose  (132, ... ) == 0x0
 01025  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01026  1036   NtClose  (128, ... ) == 0x0
 01027  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01028  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01029  1036   NtQueryDefaultLocale  (1, 1239428, ... ) == 0x0
 01030  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01031  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01032  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01033  1036   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01034  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01035  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01036  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238460, ... ) }, 1238460, ... ) == 0x0
 01037  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01038  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01039  1036   NtClose  (128, ... ) == 0x0
 01040  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01041  1036   NtClose  (132, ... ) == 0x0
 01042  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01043  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238056, ... ) }, 1238056, ... ) == 0x0
 01044  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238800,  (0x80100080, {24, 0, 0x40, 0, 1238800, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01045  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01046  1036   NtClose  (132, ... ) == 0x0
 01047  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01048  1036   NtClose  (128, ... ) == 0x0
 01049  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01050  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01051  1036   NtQueryDefaultLocale  (1, 1239420, ... ) == 0x0
 01052  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01053  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01054  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01055  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01056  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01057  1036   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01058  1036   NtClose  (128, ... ) == 0x0
 01059  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01061  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238440, ... ) }, 1238440, ... ) == 0x0
 01062  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01063  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01064  1036   NtClose  (128, ... ) == 0x0
 01065  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01066  1036   NtClose  (132, ... ) == 0x0
 01067  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01068  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238748, ... ) }, 1238748, ... ) == 0x0
 01069  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01070  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01071  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01072  1036   NtClose  (132, ... ) == 0x0
 01073  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01074  1036   NtClose  (128, ... ) == 0x0
 01075  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01076  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01077  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01078  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01079  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01080  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01081  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01082  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01083  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01084  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01085  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01086  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01087  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01088  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01089  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01090  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01091  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01092  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01093  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094  1036   NtUserGetDC  (0, ... ) == 0x1010052
 01095  1036   NtUserSystemParametersInfo  (66, 12, 1238936, 0, ... ) == 0x1
 01096  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01097  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01098  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01099  1036   NtContinue  (1237140, 0, ...
 01100  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01101  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01102  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01103  1036   NtUserMessageCall  (0x90114, WM_NCCALCSIZE, 0x0, 0x12f3cc, 0, 670, 0, ... ) == 0x0
 01104  1036   NtUserSetProp  (590100, 43288, -1, ... ) == 0x1
 01105  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01106  1036   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01107  1036   NtClose  (128, ... ) == 0x0
 01108  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01109  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01110  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238372, ... ) }, 1238372, ... ) == 0x0
 01111  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01112  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01113  1036   NtClose  (128, ... ) == 0x0
 01114  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01115  1036   NtClose  (132, ... ) == 0x0
 01116  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01117  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237968, ... ) }, 1237968, ... ) == 0x0
 01118  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238712,  (0x80100080, {24, 0, 0x40, 0, 1238712, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01119  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01120  1036   NtClose  (132, ... ) == 0x0
 01121  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01122  1036   NtClose  (128, ... ) == 0x0
 01123  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01124  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01125  1036   NtQueryDefaultLocale  (1, 1239332, ... ) == 0x0
 01126  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01127  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01128  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01129  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01130  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01131  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238364, ... ) }, 1238364, ... ) == 0x0
 01132  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01133  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01134  1036   NtClose  (128, ... ) == 0x0
 01135  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01136  1036   NtClose  (132, ... ) == 0x0
 01137  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01138  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237960, ... ) }, 1237960, ... ) == 0x0
 01139  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238704,  (0x80100080, {24, 0, 0x40, 0, 1238704, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01140  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01141  1036   NtClose  (132, ... ) == 0x0
 01142  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01143  1036   NtClose  (128, ... ) == 0x0
 01144  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01145  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01146  1036   NtQueryDefaultLocale  (1, 1239324, ... ) == 0x0
 01147  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01148  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01149  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01150  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01152  1036   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153  1036   NtClose  (128, ... ) == 0x0
 01154  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01156  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238344, ... ) }, 1238344, ... ) == 0x0
 01157  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01158  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01159  1036   NtClose  (128, ... ) == 0x0
 01160  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01161  1036   NtClose  (132, ... ) == 0x0
 01162  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01163  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 01164  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01165  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01166  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01167  1036   NtClose  (132, ... ) == 0x0
 01168  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01169  1036   NtClose  (128, ... ) == 0x0
 01170  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01171  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01172  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01173  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01174  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01175  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01176  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01177  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01178  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01179  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01180  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01181  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01182  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01183  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01184  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01185  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01186  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01187  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01188  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189  1036   NtUserGetDC  (0, ... ) == 0x1010052
 01190  1036   NtUserSystemParametersInfo  (66, 12, 1238840, 0, ... ) == 0x1
 01191  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01192  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01193  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01194  1036   NtContinue  (1237044, 0, ...
 01195  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01196  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01197  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01198  1036   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01199  1036   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 01200  1036   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 01201  1036   NtUserUpdateInputContext  (7536899, 1, 590100, ... ) == 0x1
 01202  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01203  1036   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01204  1036   NtClose  (128, ... ) == 0x0
 01205  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01206  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01207  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238480, ... ) }, 1238480, ... ) == 0x0
 01208  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01209  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01210  1036   NtClose  (128, ... ) == 0x0
 01211  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01212  1036   NtClose  (132, ... ) == 0x0
 01213  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01214  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 01215  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238820,  (0x80100080, {24, 0, 0x40, 0, 1238820, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01216  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01217  1036   NtClose  (132, ... ) == 0x0
 01218  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01219  1036   NtClose  (128, ... ) == 0x0
 01220  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01221  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01222  1036   NtQueryDefaultLocale  (1, 1239440, ... ) == 0x0
 01223  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01224  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01225  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01226  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01227  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01228  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238472, ... ) }, 1238472, ... ) == 0x0
 01229  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01230  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01231  1036   NtClose  (128, ... ) == 0x0
 01232  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01233  1036   NtClose  (132, ... ) == 0x0
 01234  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01235  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01236  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238812,  (0x80100080, {24, 0, 0x40, 0, 1238812, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01237  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01238  1036   NtClose  (132, ... ) == 0x0
 01239  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01240  1036   NtClose  (128, ... ) == 0x0
 01241  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01242  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01243  1036   NtQueryDefaultLocale  (1, 1239432, ... ) == 0x0
 01244  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01245  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01246  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01247  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01248  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01249  1036   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01250  1036   NtClose  (128, ... ) == 0x0
 01251  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01253  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01254  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01255  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01256  1036   NtClose  (128, ... ) == 0x0
 01257  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01258  1036   NtClose  (132, ... ) == 0x0
 01259  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01260  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238760, ... ) }, 1238760, ... ) == 0x0
 01261  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01262  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01263  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01264  1036   NtClose  (132, ... ) == 0x0
 01265  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01266  1036   NtClose  (128, ... ) == 0x0
 01267  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01268  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01269  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01270  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01271  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01272  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01273  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01274  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01275  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01276  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01277  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01278  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01279  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01280  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01281  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01282  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01283  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01284  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01285  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286  1036   NtUserGetDC  (0, ... ) == 0x1010052
 01287  1036   NtUserSystemParametersInfo  (66, 12, 1238948, 0, ... ) == 0x1
 01288  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01289  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01290  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01291  1036   NtContinue  (1237152, 0, ...
 01292  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01293  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01294  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01295  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01296  1036   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01297  1036   NtClose  (128, ... ) == 0x0
 01298  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01299  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01300  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238480, ... ) }, 1238480, ... ) == 0x0
 01301  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01302  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01303  1036   NtClose  (128, ... ) == 0x0
 01304  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01305  1036   NtClose  (132, ... ) == 0x0
 01306  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01307  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 01308  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238820,  (0x80100080, {24, 0, 0x40, 0, 1238820, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01309  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01310  1036   NtClose  (132, ... ) == 0x0
 01311  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01312  1036   NtClose  (128, ... ) == 0x0
 01313  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01314  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01315  1036   NtQueryDefaultLocale  (1, 1239440, ... ) == 0x0
 01316  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01317  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01318  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01319  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01320  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01321  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238472, ... ) }, 1238472, ... ) == 0x0
 01322  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01323  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01324  1036   NtClose  (128, ... ) == 0x0
 01325  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01326  1036   NtClose  (132, ... ) == 0x0
 01327  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01328  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01329  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238812,  (0x80100080, {24, 0, 0x40, 0, 1238812, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01330  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01331  1036   NtClose  (132, ... ) == 0x0
 01332  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01333  1036   NtClose  (128, ... ) == 0x0
 01334  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01335  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01336  1036   NtQueryDefaultLocale  (1, 1239432, ... ) == 0x0
 01337  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01338  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01339  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01340  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01341  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01342  1036   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01343  1036   NtClose  (128, ... ) == 0x0
 01344  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01346  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01347  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01348  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01349  1036   NtClose  (128, ... ) == 0x0
 01350  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01351  1036   NtClose  (132, ... ) == 0x0
 01352  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01353  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238760, ... ) }, 1238760, ... ) == 0x0
 01354  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01355  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01356  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01357  1036   NtClose  (132, ... ) == 0x0
 01358  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01359  1036   NtClose  (128, ... ) == 0x0
 01360  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01361  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01362  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01363  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01364  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01365  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01366  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01367  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01368  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01369  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01370  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01371  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01372  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01373  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01374  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01375  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01376  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01377  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01378  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379  1036   NtUserGetDC  (0, ... ) == 0x1010052
 01380  1036   NtUserSystemParametersInfo  (66, 12, 1238948, 0, ... ) == 0x1
 01381  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01382  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01383  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01384  1036   NtContinue  (1237152, 0, ...
 01385  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01386  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01387  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01388  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01389  1036   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01390  1036   NtClose  (128, ... ) == 0x0
 01391  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01392  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01393  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238480, ... ) }, 1238480, ... ) == 0x0
 01394  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01395  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01396  1036   NtClose  (128, ... ) == 0x0
 01397  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01398  1036   NtClose  (132, ... ) == 0x0
 01399  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01400  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 01401  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238820,  (0x80100080, {24, 0, 0x40, 0, 1238820, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01402  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01403  1036   NtClose  (132, ... ) == 0x0
 01404  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01405  1036   NtClose  (128, ... ) == 0x0
 01406  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01407  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01408  1036   NtQueryDefaultLocale  (1, 1239440, ... ) == 0x0
 01409  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01410  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01411  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01412  1036   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01413  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01414  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01415  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238472, ... ) }, 1238472, ... ) == 0x0
 01416  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01417  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01418  1036   NtClose  (128, ... ) == 0x0
 01419  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01420  1036   NtClose  (132, ... ) == 0x0
 01421  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01422  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01423  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238812,  (0x80100080, {24, 0, 0x40, 0, 1238812, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01424  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01425  1036   NtClose  (132, ... ) == 0x0
 01426  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01427  1036   NtClose  (128, ... ) == 0x0
 01428  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01429  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01430  1036   NtQueryDefaultLocale  (1, 1239432, ... ) == 0x0
 01431  1036   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01432  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01433  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01434  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01435  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01436  1036   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01437  1036   NtClose  (128, ... ) == 0x0
 01438  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01440  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01441  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01442  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01443  1036   NtClose  (128, ... ) == 0x0
 01444  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01445  1036   NtClose  (132, ... ) == 0x0
 01446  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01447  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238760, ... ) }, 1238760, ... ) == 0x0
 01448  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01449  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01450  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01451  1036   NtClose  (132, ... ) == 0x0
 01452  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01453  1036   NtClose  (128, ... ) == 0x0
 01454  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01455  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01456  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01457  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01458  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01459  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01460  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01461  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01462  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01463  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01464  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01465  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01466  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01467  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01468  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01469  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01470  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01471  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01472  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1036   NtUserGetDC  (0, ... ) == 0x1010052
 01474  1036   NtUserSystemParametersInfo  (66, 12, 1238948, 0, ... ) == 0x1
 01475  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01476  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01477  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01478  1036   NtContinue  (1237152, 0, ...
 01479  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01480  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01481  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01482  1036   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF"}, ... 128, ) }, ... 128, ) == 0x0
 01483  1036   NtQueryValueKey  (128,  (128, "Disable Thread Input Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  1036   NtClose  (128, ... ) == 0x0
 01485  1036   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01486  1036   NtOpenProcessToken  (-1, 0xa, ... 128, ) == 0x0
 01487  1036   NtDuplicateToken  (128, 0xc, {24, 0, 0x0, 0, 1240836, 0x0}, 0, 2, ... 132, ) == 0x0
 01488  1036   NtClose  (128, ... ) == 0x0
 01489  1036   NtAccessCheck  (1375016, 132, 0x1, 1240912, 1240964, 56, 1240944, ... (0x1), ) == 0x0
 01490  1036   NtClose  (132, ... ) == 0x0
 01491  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\CTF\SystemShared"}, ... 132, ) }, ... 132, ) == 0x0
 01492  1036   NtQueryValueKey  (132,  (132, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01493  1036   NtClose  (132, ... ) == 0x0
 01494  1036   NtUserGetImeInfoEx  (1240728, 0, ... ) == 0x1
 01495  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01496  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01497  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01498  1036   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01499  1036   NtClose  (132, ... ) == 0x0
 01500  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01502  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237760, ... ) }, 1237760, ... ) == 0x0
 01503  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01504  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 128, ) == 0x0
 01505  1036   NtClose  (132, ... ) == 0x0
 01506  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01507  1036   NtClose  (128, ... ) == 0x0
 01508  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01509  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01510  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01511  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 01512  1036   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01513  1036   NtClose  (128, ... ) == 0x0
 01514  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01515  1036   NtClose  (132, ... ) == 0x0
 01516  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01517  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01518  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01519  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01520  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01521  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01522  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01523  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01524  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01525  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01526  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01527  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01528  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01529  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01530  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01531  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01532  1036   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01533  1036   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01534  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535  1036   NtUserGetDC  (0, ... ) == 0x1010052
 01536  1036   NtUserSystemParametersInfo  (66, 12, 1238256, 0, ... ) == 0x1
 01537  1036   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01538  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01539  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01540  1036   NtContinue  (1236460, 0, ...
 01541  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01542  1036   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01543  1036   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01544  1036   NtUserMessageCall  (0xa0102, WM_NCCALCSIZE, 0x0, 0x12f3cc, 0, 670, 1, ... ) == 0x0
 01545  1036   NtUserGetClassName  (655618, 0, 1241236, ... ) == 0x6
 01546  1036   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 01547  1036   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 262144, 6881357, 7471203, 7536751}  (24, {24, 52, new_msg, 0, 262144, 6881357, 7471203, 7536751} "\0\0\0\0\5\4\3\0T\0e\0x\0t\0\14\4\0\0\34\357\22\0" ... {24, 52, reply, 0, 1248, 1036, 57974, 0} "\0\0\0\0\5\4\3\0\0\0\0\0x\0t\0\14\4\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 1248, 1036, 57974, 0}  (24, {24, 52, new_msg, 0, 262144, 6881357, 7471203, 7536751} "\0\0\0\0\5\4\3\0T\0e\0x\0t\0\14\4\0\0\34\357\22\0" ... {24, 52, reply, 0, 1248, 1036, 57974, 0} "\0\0\0\0\5\4\3\0\0\0\0\0x\0t\0\14\4\0\0\0\0\0\0" )  ) == 0x0
 01548  1036   NtUserGetThreadDesktop  (1036, 0, ... ) == 0x24
 01549  1036   NtUserGetObjectInformation  (36, 2, 1240920, 520, 0, ... ) == 0x1
 01550  1036   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01551  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01552  1036   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01553  1036   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01554  1036   NtQueryVirtualMemory  (-1, 0x7e418830, Basic, 28, ... {BaseAddress=0x7e418000,AllocationBase=0x7e410000,AllocationProtect=0x80,RegionSize=0x58000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01555  1036   NtQueryVirtualMemory  (-1, 0x3b2fcf, Basic, 28, ... {BaseAddress=0x3b2000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x42000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 01556  1036   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01557  1036   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01558  1036   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01559  1036   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01560  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01561  1036   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 01562  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 132, ) }, ... 132, ) == 0x0
 01563  1036   NtQueryValueKey  (132,  (132, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (132, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01564  1036   NtQueryValueKey  (132,  (132, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (132, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 01565  1036   NtClose  (132, ... ) == 0x0
 01566  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1236420, ... ) }, 1236420, ... ) == 0x0
 01567  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01568  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 128, ) == 0x0
 01569  1036   NtClose  (132, ... ) == 0x0
 01570  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 81920, ) == 0x0
 01571  1036   NtClose  (128, ... ) == 0x0
 01572  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01573  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1236728, ... ) }, 1236728, ... ) == 0x0
 01574  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01575  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 01576  1036   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01577  1036   NtClose  (128, ... ) == 0x0
 01578  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 01579  1036   NtClose  (132, ... ) == 0x0
 01580  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 132, ) }, ... 132, ) == 0x0
 01581  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 01582  1036   NtClose  (132, ... ) == 0x0
 01583  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01584  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01585  1036   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01586  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01587  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01588  1036   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01589  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01590  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01591  1036   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01592  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01593  1036   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01594  1036   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01595  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1235904, ... ) }, 1235904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1235904, ... ) }, 1235904, ... ) == 0x0
 01598  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01599  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01600  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01601  1036   NtClose  (132, ... ) == 0x0
 01602  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 01603  1036   NtClose  (128, ... ) == 0x0
 01604  1036   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01605  1036   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01606  1036   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01607  1036   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01608  1036   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01609  1036   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01610  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 128, ) }, ... 128, ) == 0x0
 01611  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 01612  1036   NtClose  (128, ... ) == 0x0
 01613  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01614  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01615  1036   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01616  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01617  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01618  1036   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01619  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01620  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01621  1036   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01622  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01623  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01624  1036   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01625  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01626  1036   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01627  1036   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01628  1036   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01629  1036   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01630  1036   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01631  1036   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01632  1036   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01633  1036   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01634  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01635  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1235904, ... ) }, 1235904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1235904, ... ) }, 1235904, ... ) == 0x0
 01637  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01638  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 01639  1036   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01640  1036   NtClose  (128, ... ) == 0x0
 01641  1036   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01642  1036   NtClose  (132, ... ) == 0x0
 01643  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01644  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01645  1036   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01646  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01647  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01648  1036   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01649  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01650  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01651  1036   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01652  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01653  1036   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01654  1036   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01655  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01656  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1235904, ... ) }, 1235904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1235904, ... ) }, 1235904, ... ) == 0x0
 01658  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01659  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01660  1036   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01661  1036   NtClose  (132, ... ) == 0x0
 01662  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 01663  1036   NtClose  (128, ... ) == 0x0
 01664  1036   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01665  1036   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01666  1036   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01667  1036   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01668  1036   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01669  1036   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01670  1036   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01671  1036   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01672  1036   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01673  1036   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01674  1036   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01675  1036   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01676  1036   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01677  1036   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01678  1036   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01679  1036   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 128, ) }, ... 128, ) == 0x0
 01680  1036   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01681  1036   NtClose  (128, ... ) == 0x0
 01682  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01683  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01684  1036   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01685  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01686  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01687  1036   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01688  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01689  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01690  1036   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01691  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01692  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01693  1036   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01694  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01695  1036   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01696  1036   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01697  1036   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01698  1036   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01699  1036   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01700  1036   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01701  1036   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01702  1036   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01703  1036   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01704  1036   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01705  1036   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01706  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 01708  1036   NtQueryValueKey  (128,  (128, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709  1036   NtClose  (128, ... ) == 0x0
 01710  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 01711  1036   NtQueryValueKey  (128,  (128, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712  1036   NtClose  (128, ... ) == 0x0
 01713  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 128, ) }, ... 128, ) == 0x0
 01714  1036   NtQueryValueKey  (128,  (128, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01715  1036   NtClose  (128, ... ) == 0x0
 01716  1036   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1234496, 0,  (0x1f0003, {24, 48, 0x80, 1234496, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 128, ) }, 0, 1, ... 128, ) == STATUS_OBJECT_NAME_EXISTS
 01717  1036   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01718  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01719  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01720  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01721  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01722  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01723  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01724  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01725  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01726  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01727  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01728  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01729  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01730  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01731  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01732  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01733  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01734  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01735  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01736  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01737  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01738  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01739  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01740  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01741  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01742  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01743  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01744  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01745  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01746  1036   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01747  1036   NtClose  (132, ... ) == 0x0
 01748  1036   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01749  1036   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 136, ) }, ... 136, ) == 0x0
 01750  1036   NtQueryValueKey  (136,  (136, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01751  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01752  1036   NtQueryValueKey  (136,  (136, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01753  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01754  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01755  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01756  1036   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01757  1036   NtClose  (136, ... ) == 0x0
 01758  1036   NtClose  (132, ... ) == 0x0
 01759  1036   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 01760  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01761  1036   NtQueryValueKey  (132,  (132, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762  1036   NtClose  (132, ... ) == 0x0
 01763  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01764  1036   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765  1036   NtQueryValueKey  (132,  (132, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766  1036   NtClose  (132, ... ) == 0x0
 01767  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01769  1036   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01770  1036   NtClose  (132, ... ) == 0x0
 01771  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01774  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01775  1036   NtQueryPerformanceCounter  (... {924746013, 10}, {3579545, 0}, ) == 0x0
 01776  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777  1036   NtQueryDefaultLocale  (1, 1236624, ... ) == 0x0
 01778  1036   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01779  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01780  1036   NtQueryValueKey  (132,  (132, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01781  1036   NtClose  (132, ... ) == 0x0
 01782  1036   NtUserGetProcessWindowStation  (... ) == 0x1c
 01783  1036   NtUserGetObjectInformation  (28, 1, 1236220, 12, 1236232, ... ) == 0x1
 01784  1036   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 132, ) }, ... 132, ) == 0x0
 01786  1036   NtQueryValueKey  (132,  (132, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 01787  1036   NtClose  (132, ... ) == 0x0
 01788  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01789  1036   NtQueryValueKey  (132,  (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01790  1036   NtQueryValueKey  (132,  (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01791  1036   NtClose  (132, ... ) == 0x0
 01792  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01793  1036   NtQueryValueKey  (132,  (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01794  1036   NtQueryValueKey  (132,  (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01795  1036   NtClose  (132, ... ) == 0x0
 01796  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01797  1036   NtQueryValueKey  (132,  (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01798  1036   NtQueryValueKey  (132,  (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01799  1036   NtClose  (132, ... ) == 0x0
 01800  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01801  1036   NtQueryValueKey  (132,  (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01802  1036   NtQueryValueKey  (132,  (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01803  1036   NtClose  (132, ... ) == 0x0
 01804  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01805  1036   NtQueryValueKey  (132,  (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01806  1036   NtQueryValueKey  (132,  (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01807  1036   NtClose  (132, ... ) == 0x0
 01808  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01809  1036   NtQueryValueKey  (132,  (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01810  1036   NtQueryValueKey  (132,  (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01811  1036   NtClose  (132, ... ) == 0x0
 01812  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 132, ) }, ... 132, ) == 0x0
 01813  1036   NtQueryValueKey  (132,  (132, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01814  1036   NtQueryValueKey  (132,  (132, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (132, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 01815  1036   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01816  1036   NtClose  (132, ... ) == 0x0
 01817  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 01818  1036   NtCreateMutant  (0x1f0001, 0x0, 0, ... 136, ) == 0x0
 01819  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01820  1036   NtCreateMutant  (0x1f0001, 0x0, 0, ... 144, ) == 0x0
 01821  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0
 01822  1036   NtCreateMutant  (0x1f0001, 0x0, 0, ... 152, ) == 0x0
 01823  1036   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 156, ) }, ... 156, ) == 0x0
 01824  1036   NtQueryValueKey  (156,  (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01825  1036   NtQueryValueKey  (156,  (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01826  1036   NtQueryValueKey  (156,  (156, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827  1036   NtOpenKey  (0x1, {24, 156, 0x40, 0, 0,  (0x1, {24, 156, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828  1036   NtClose  (156, ... ) == 0x0
 01829  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1236136, ... ) }, 1236136, ... ) == 0x0
 01830  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 156, ) }, ... 156, ) == 0x0
 01831  1036   NtQueryValueKey  (156,  (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01832  1036   NtClose  (156, ... ) == 0x0
 01833  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 156, ) }, ... 156, ) == 0x0
 01834  1036   NtQueryValueKey  (156,  (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 01835  1036   NtClose  (156, ... ) == 0x0
 01836  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 156, ) }, ... 156, ) == 0x0
 01838  1036   NtQueryValueKey  (156,  (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01839  1036   NtClose  (156, ... ) == 0x0
 01840  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841  1036   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842  1036   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1378072, 0,  (0x1f0003, {24, 48, 0x80, 1378072, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 156, ) }, 0, 2147483647, ... 156, ) == STATUS_OBJECT_NAME_EXISTS
 01843  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844  1036   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845  1036   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 160, 2, ) }, 0, 0x0, 0, ... 160, 2, ) == 0x0
 01846  1036   NtOpenKey  (0x10000, {24, 160, 0x40, 0, 0,  (0x10000, {24, 160, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847  1036   NtQueryValueKey  (160,  (160, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01848  1036   NtQueryValueKey  (160,  (160, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01849  1036   NtQueryValueKey  (160,  (160, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01850  1036   NtQueryValueKey  (160,  (160, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01851  1036   NtQueryValueKey  (160,  (160, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01852  1036   NtQueryValueKey  (160,  (160, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853  1036   NtQueryValueKey  (160,  (160, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01854  1036   NtQueryValueKey  (160,  (160, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01855  1036   NtQueryValueKey  (160,  (160, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856  1036   NtQueryValueKey  (160,  (160, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857  1036   NtQueryValueKey  (160,  (160, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01858  1036   NtQueryValueKey  (160,  (160, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859  1036   NtCreateKey  (0x20119, {24, 160, 0x40, 0, 0,  (0x20119, {24, 160, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 164, 2, ) }, 0, 0x0, 0, ... 164, 2, ) == 0x0
 01860  1036   NtCreateKey  (0x20119, {24, 160, 0x40, 0, 0,  (0x20119, {24, 160, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01861  1036   NtClose  (160, ... ) == 0x0
 01862  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 160, ) }, ... 160, ) == 0x0
 01863  1036   NtQueryValueKey  (160,  (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01864  1036   NtClose  (160, ... ) == 0x0
 01865  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01866  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01867  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233664, ... ) }, 1233664, ... ) == 0x0
 01868  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01869  1036   NtQueryDirectoryFile  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1,  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01870  1036   NtClose  (160, ... ) == 0x0
 01871  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01872  1036   NtQueryDirectoryFile  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1,  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01873  1036   NtClose  (160, ... ) == 0x0
 01874  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01877  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01878  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232312, ... ) }, 1232312, ... ) == 0x0
 01879  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1231084, ... ) }, 1231084, ... ) == 0x0
 01880  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01881  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01882  1036   NtQueryValueKey  (164,  (164, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883  1036   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01884  1036   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01885  1036   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01886  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 160, ) }, ... 160, ) == 0x0
 01888  1036   NtQueryValueKey  (160,  (160, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889  1036   NtClose  (160, ... ) == 0x0
 01890  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891  1036   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01892  1036   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01893  1036   NtQuerySystemTime  (... {1722642814, 29915841}, ) == 0x0
 01894  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01895  1036   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01897  1036   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01898  1036   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01899  1036   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01900  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 01901  1036   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01902  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\332\177\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01903  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01904  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01905  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01906  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01907  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01908  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01909  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01910  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01911  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\355\256gzr\203\233\331\360{\222[}7\275C\11f)ik\243mM\356\262:~\310B\313\357\33oT\261\337\231\330\15\2\3079"\13\34\212\24\35:V\36\276\317\211\217\10\365\244k\210\271\347\342'\351\353\224\327\231\217\304\323;H\374B\225o\353", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\355\256gzr\203\233\331\360{\222[}7\275C\11f)ik\243mM\356\262:~\310B\313\357\33oT\261\337\231\330\15\2\3079"\13\34\212\24\35:V\36\276\317\211\217\10\365\244k\210\271\347\342'\351\353\224\327\231\217\304\323;H\374B\225o\353", 80, ... ) \13\34\212\24\35:V\36\276\317\211\217\10\365\244k\210\271\347\342'\351\353\224\327\231\217\304\323;H\374B\225o\353", 80, ... ) == 0x0
 01912  1036   NtClose  (-2147482740, ... ) == 0x0
 01902  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\31aT\346l\350\276\265\350C\215\250H\334\301!Q\372\330\32\207$\240<\325\227\220\31J, ) , ) == 0x0
 01913  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\360'\320\303\303^\21\270\211\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01914  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01915  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01916  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01917  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01918  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01919  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01920  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01921  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01922  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\17\237\326\374\256g&\241\24s\251{H\362\355s)\313\335\5Jw?|{\376\243z\261\14\210"\367\375\253J\231\356*'\25\367\360\331\21\25\331\320\320K\375\317o\67\200\1+JL\316\354\363?pem@T2\212fs\3`\301A\23\262", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\17\237\326\374\256g&\241\24s\251{H\362\355s)\313\335\5Jw?|{\376\243z\261\14\210"\367\375\253J\231\356*'\25\367\360\331\21\25\331\320\320K\375\317o\67\200\1+JL\316\354\363?pem@T2\212fs\3`\301A\23\262", 80, ... ) \367\375\253J\231\356*'\25\367\360\331\21\25\331\320\320K\375\317o\67\200\1+JL\316\354\363?pem@T2\212fs\3`\301A\23\262", 80, ... ) == 0x0
 01923  1036   NtClose  (-2147482740, ... ) == 0x0
 01913  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\7\23\2038\34\323B\177)\353\25\36P\311p:\255\310:\316Q\360B\37\273\346@\216\302!\357\2773e-\263\272\370\363\342\257>H\346\3759\230R?\363\335[J\261\310\356!g(\302\24\301<.\37\329\337d\243\340\37\212N\20\376B\7\4h\351h\234\322\261\20)#\376G>(\202X\313 y\362\274\266W\253\16\6\272%}\343\321\364\353\177F\353\240I\355m\6\274\231\233\212\316\252"\346\30\312\7G\210L\27\367$m\357\227g\225\203\254\336\302\275\322IR\225&5|\265\277\255!\355\217\363<\323\200\301\340\324M\206\313*\242q\32\355\362d:\3151\333\306\375T!\264\205\240Y\216%\260\274\0@\217\362M\31||5\372\24\276\2561\332\3\370#\33:u\370\306\316N\256\204\L\23\233\325\316\320Y\321\322$\220\345\10\260\362!\12\327\213\13\17\336\340\270C!\312\34\3138%\354\357\257\31\225", ) \346\30\312\7G\210L\27\367$m\357\227g\225\203\254\336\302\275\322IR\225&5|\265\277\255!\355\217\363<\323\200\301\340\324M\206\313*\242q\32\355\362d:\3151\333\306\375T!\264\205\240Y\216%\260\274\0@\217\362M\31||5\372\24\276\2561\332\3\370#\33:u\370\306\316N\256\204\L\23\233\325\316\320Y\321\322$\220\345\10\260\362!\12\327\213\13\17\336\340\270C!\312\34\3138%\354\357\257\31\225", ) == 0x0
 01924  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\360'\320\303\303^\21\222\321\320\303\303^\21\270\211\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01925  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01926  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01927  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01928  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01929  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01930  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01931  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01932  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01933  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\238\177\264\226Z\310\3E\16\337\34\25\306\261%\3618\7A\352L\2000B\332\35\6\310\177\366,\10v\14\362\354\315\257\313\205\302p\315\204>=\313\231\206u\360\36y\23\204B\210\2\357\17\230\240HT\32\356\377J\13\221>r\323\12>D\321v\346", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\238\177\264\226Z\310\3E\16\337\34\25\306\261%\3618\7A\352L\2000B\332\35\6\310\177\366,\10v\14\362\354\315\257\313\205\302p\315\204>=\313\231\206u\360\36y\23\204B\210\2\357\17\230\240HT\32\356\377J\13\221>r\323\12>D\321v\346", 80, ... ) , 80, ... ) == 0x0
 01934  1036   NtClose  (-2147482740, ... ) == 0x0
 01924  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "!B\317\343z*\235 c\207\3032`M\262\317A\320\243#\20\370\351S|7\11\21\37\212\263k\275\11\224g\5\300V\14\3645\261\222&|F\237\2001#\0,22J\345?]\263\207\345H\355^0\310$\35\205\21\230\325\210\240\233\227\335@\2O\344\321\374*\270\320J\7\262\341\227\225$\240}Om1\273g\347\233\236\357V(\30&=\35\234\227\360\335b[[\351]\321\361\232a\5\242\257\357t\350\234;`!\277\1\336#\356\357\316\351.\10\245\21\377N\250\1\226\6\363\240\375\225\335aZ\335\314\307\220\376\331\366\271\245\247\310\305\13\36nvg\5{\223\12W\335q\221Do\15\201\26\370a\334\323\6\5h\24\25\276vDc\234\35y\234\360\361\316\354\233\371F\240%\26\36QBz\237?\340\15x\222gw2\277d\2606.G\261\315\377R\351\6\5\246'\214g\271\256\250\31\375\301\216\357\311\243", ) , ) == 0x0
 01935  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\360'\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\270\211\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01936  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01937  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01938  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01939  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01940  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01941  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01942  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01943  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01944  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\376[\326fn"\306\231\207\13\235\127\26\376fce\336kB\252K\224k\32\2052PA:\276^]\333j\350\326\363 \205q\271u\341\243\3704\221\5\301\231\216I,{\374\256\242_v\257\30\200X\30\3133\327\372\343\367\250j~\233=\345\0#", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\376[\326fn"\306\231\207\13\235\127\26\376fce\336kB\252K\224k\32\2052PA:\276^]\333j\350\326\363 \205q\271u\341\243\3704\221\5\301\231\216I,{\374\256\242_v\257\30\200X\30\3133\327\372\343\367\250j~\233=\345\0#", 80, ... ) \306\231\207\13\235\127\26\376fce\336kB\252K\224k\32\2052PA:\276^]\333j\350\326\363 \205q\271u\341\243\3704\221\5\301\231\216I,{\374\256\242_v\257\30\200X\30\3133\327\372\343\367\250j~\233=\345\0#", 80, ... ) == 0x0
 01945  1036   NtClose  (-2147482740, ... ) == 0x0
 01935  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Rx$0\207\205\236\353\17`\314\317\256H\3069\273\204\233,\302\1En\227\16P\213\6L@\15\310\221\257\316\330\316b_d\375T\210\266y\253\307\210\215-$\374\356m\331\223u\322\213\5\15O\337\325\273\237\26wO"\330\345!,\367\311fp^u\301\256H\243\33\12\204\377\22A\317\235\225Wa|\225\315\12\27q3@\366\373\333\21I\323v\312\350~\335\371\335\305kK7\257]\357\2\327\343\301\25\345\2114S\223IEU`\354(\215\321\3457\340?\327\265\251\277\206.*MrVf\267\376\317gl\275\223y\12p\226r\277\362U\341\375\327\203\352?\344V\264\336\253\234\355\261\303\363G\242\4\362Is\332\235\124#\223&\25\241\266\217\177\235\314%'CP\24\2523\255\330\277\370m{9\307W\11\23\15\255\300/\246\241\3763\27\325Q\2HE\215\211\34\364\220\361\272G\364\11\265/\3527", ) \330\345!,\367\311fp^u\301\256H\243\33\12\204\377\22A\317\235\225Wa|\225\315\12\27q3@\366\373\333\21I\323v\312\350~\335\371\335\305kK7\257]\357\2\327\343\301\25\345\2114S\223IEU`\354(\215\321\3457\340?\327\265\251\277\206.*MrVf\267\376\317gl\275\223y\12p\226r\277\362U\341\375\327\203\352?\344V\264\336\253\234\355\261\303\363G\242\4\362Is\332\235\124#\223&\25\241\266\217\177\235\314%'CP\24\2523\255\330\277\370m{9\307W\11\23\15\255\300/\246\241\3763\27\325Q\2HE\215\211\34\364\220\361\272G\364\11\265/\3527", ) == 0x0
 01946  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\360'\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\270\211\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01947  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01948  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01949  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01950  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01951  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01952  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01953  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01954  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01955  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "m\224c\212d\272@\240\16\302\251\13\23\336\235\211\227\227J\361\373\2432\311vNI\2\206pW\\227\270\304\\277N"\234d\232\263\225\265&\4\323\302]@\233R\316\273=\367\263\222\267`1\245&@\241\356\273\27\215r\36)\337!\236\4\230\204\362", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "m\224c\212d\272@\240\16\302\251\13\23\336\235\211\227\227J\361\373\2432\311vNI\2\206pW\\227\270\304\\277N"\234d\232\263\225\265&\4\323\302]@\233R\316\273=\367\263\222\267`1\245&@\241\356\273\27\215r\36)\337!\236\4\230\204\362", 80, ... ) \234d\232\263\225\265&\4\323\302]@\233R\316\273=\367\263\222\267`1\245&@\241\356\273\27\215r\36)\337!\236\4\230\204\362", 80, ... ) == 0x0
 01956  1036   NtClose  (-2147482740, ... ) == 0x0
 01946  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\235\241+\250\24\264Ah\?\214\217\200\333O\216\244\33\373\250\265J\244\235\225$G\263\206P\2667(dF\\37VId`q\240x\35f\322lbb3jO\33l'\357f\305\0\7\350\231H?F.*\301\255M\205\242\3\204\217\5\273\0\345\14\272`\314\350F\263\351B\324 \256y2\353\367\364\314v<\26\262B\317d\324M\261=)\210\355IX\6V\302\307\316\240k\24\202\304\214F\3\11gJ\1>\203m\377^\304\2169\2717\240\2Bh2,h'\34\213\330\244\205\330.\223|\336 \271\271\274\244t\21\337]0G\33\230\214\12s\26\14\7c\31\321R\25{}\27\326\367o\306\242\350\310\247\355'\237BD\317\307\365"G($\354:\365\3634u\264\353Id\277\202\322\201<\326\245\235\302t\236\2\363\227\366\263v\275\265\262\271\305\224\337a&ww#|MJ#M7\374", ) G($\354:\365\3634u\264\353Id\277\202\322\201<\326\245\235\302t\236\2\363\227\366\263v\275\265\262\271\305\224\337a&ww#|MJ#M7\374", ) == 0x0
 01957  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\360'\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\270\211\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01958  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01959  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01960  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01961  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01962  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01963  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01964  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01965  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01966  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\234\255\357QD\373]\266z\0#U{\353(+i\1=\250:\277\250\34\357\323\257\271\237\342\333\233{_\327\251\33\33~\213/\347\211\332?Qu\2642\254p\2312~&\270(, 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\234\255\357QD\373]\266z\0#U{\353(+i\1=\250:\277\250\34\357\323\257\271\237\342\333\233{_\327\251\33\33~\213/\347\211\332?Qu\2642\254p\2312~&\270(, 80, ... ) , 80, ... ) == 0x0
 01967  1036   NtClose  (-2147482740, ... ) == 0x0
 01957  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\311\217\36\360\261\271N]\250\315g\253\231\275wVm\221\251\376\213\11e\255\365\311\353\357d\361f\311\{\346s\264J\246\7\245\317\377\362-\334\301`_\10\270\275c\324\315:\355g0u`\377\30D\342\362x\377\3727\377\304\353,\17\345tB\210\201{\\215\326\177u\223a0\335e\35.\271\253\244\30@>\346\34Nm\266h\343\261+\213-l\36;\246\267*\204VJ\371\37\334/\372gx\260u\320GDs\274\267^\355'\377\302\227\32\203\317z\241\202\323J\2\304\16\242\264DfFw\322\226\352\244\277\37\30\17\254\237\210\2111\371Y\211\311\242Nps\13%\216\11i\345\274\264\303\364\331\31\\230\224\177\201\341\222p\3746\306&\241s\257\251\334"\374r\12\246\251(\362tq\232\11uaUG\212dge\236t:\27\371\177\356?\33\265z\324\377\256\374U\266S\233ZYG(\264\243)Fb\274", ) \374r\12\246\251(\362tq\232\11uaUG\212dge\236t:\27\371\177\356?\33\265z\324\377\256\374U\266S\233ZYG(\264\243)Fb\274", ) == 0x0
 01968  1036   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\20\320L\35T\210\206\244\362DY\2249)\360'\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\222\321\320\303\303^\21\270\211\330t\337,}+e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01969  1036   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01970  1036   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01971  1036   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01972  1036   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01973  1036   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01974  1036   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01975  1036   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01976  1036   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01977  1036   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\220\201\340\324\31$]\373k\256\321\1#\3\11\373\207fU}\352\213\265m\323<\273\27W2/\345.fx@\350\31\254O\242xE\337B\273\267\363\355*\270\373\205\254\251\241@\367H\362\217\256W\14\226\200\266\200v\225(+\2004Nifn\336v", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\220\201\340\324\31$]\373k\256\321\1#\3\11\373\207fU}\352\213\265m\323<\273\27W2/\345.fx@\350\31\254O\242xE\337B\273\267\363\355*\270\373\205\254\251\241@\367H\362\217\256W\14\226\200\266\200v\225(+\2004Nifn\336v", 80, ... ) , 80, ... ) == 0x0
 01978  1036   NtClose  (-2147482740, ... ) == 0x0
 01968  1036   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\271\23\22\365\314\2647C\351\322\316\332\223#W\235\201\244\346\276q.\364\330\202\245\22^_\317\246\274\371\222\357\25'\303!\335\24E\202\3304@\345\243\203\360n\331\\273\277t#\264\34\\247\324\355p\206m :\200b*\237\211\220P`DBp\206\230%\255}\365I\214\375\4TL\373\205z\2662]+<\37{\345\13\209\325\20\245e\353\364K\375\331\245yX\267\266II\210Et{Ks\353\24\334\33P\272P<9\223\345\356\255\321\240I|\204\30A!\250#\223\265v\230\265,Z\362\375\312#\256 \33-\200\303\264\1\356\343\257\204\351\21\202z\244\372\14m\365\222\202\360P3f\367\367\3\230\323\315\243/o\356\252\252[0}fC\241\266\326\334\256\301c\377tQV\200\310y\24<\304\332\366\4\227\374\333\332\7\315\230\4\277o<\202\255Z\20m\316\215\311.Q\260\11\255\311\2\275\257\24\327\35", ) , ) == 0x0
 01979  1036   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 01980  1036   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1231456, 188, ... 192, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1231456, 188, ... 192, 0x0, 0x0, 0x0, 188, ) == 0x0
 01981  1036   NtRequestWaitReplyPort  (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2}  (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1248, 1036, 57976, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260 (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1248, 1036, 57976, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0(\0\0\0\270 (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1248, 1036, 57976, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 1248, 1036, 57976, 0}  (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1248, 1036, 57976, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0h\1\24\0\12\0\0\0\0\0\0\0\260 (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1248, 1036, 57976, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\373o\360\10\331q\302\261\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0;\350\17\20x\1\24\0(\0\0\0\247j\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) == 0x0
 01982  1036   NtRequestWaitReplyPort  (192, {32, 56, new_msg, 0, 0, 0, 0, 0}  (192, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1248, 1036, 57977, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ... {124, 148, reply, 0, 1248, 1036, 57977, 0}  (192, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1248, 1036, 57977, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ) == 0x0
 01983  1036   NtRequestWaitReplyPort  (192, {44, 68, new_msg, 56, 1248, 1036, 57977, 0}  (192, {44, 68, new_msg, 56, 1248, 1036, 57977, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0`%\25\0\10\5\0\0" ... {40, 64, reply, 0, 1248, 1036, 57978, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1248, 1036, 57978, 0}  (192, {44, 68, new_msg, 56, 1248, 1036, 57977, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0`%\25\0\10\5\0\0" ... {40, 64, reply, 0, 1248, 1036, 57978, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ) == 0x0
 01984  1036   NtRequestWaitReplyPort  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1385816, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1385816, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1248, 1036, 57979, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1248, 1036, 57979, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1385816, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1248, 1036, 57979, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01985  1036   NtRequestWaitReplyPort  (192, {44, 68, new_msg, 56, 1248, 1036, 57978, 0}  (192, {44, 68, new_msg, 56, 1248, 1036, 57978, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\00*\25\0\10\5\0\0" ... {40, 64, reply, 0, 1248, 1036, 57980, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 1248, 1036, 57980, 0}  (192, {44, 68, new_msg, 56, 1248, 1036, 57978, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\00*\25\0\10\5\0\0" ... {40, 64, reply, 0, 1248, 1036, 57980, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 01986  1036   NtRequestWaitReplyPort  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1387048, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1387048, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1248, 1036, 57981, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1248, 1036, 57981, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1387048, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1248, 1036, 57981, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01987  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 196, ) }, ... 196, ) == 0x0
 01988  1036   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "ActiveComputerName"}, ... 200, ) }, ... 200, ) == 0x0
 01989  1036   NtQueryValueKey  (200,  (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01990  1036   NtClose  (200, ... ) == 0x0
 01991  1036   NtClose  (196, ... ) == 0x0
 01992  1036   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 196, ) == 0x0
 01993  1036   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 200, ) == 0x0
 01994  1036   NtDuplicateObject  (-1, 196, -1, 0x0, 0, 2, ... 204, ) == 0x0
 01995  1036   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01996  1036   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 01997  1036   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01998  1036   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01999  1036   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231492,  (0xc0100080, {24, 0, 0x40, 0, 1231492, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 02000  1036   NtSetInformationFile  (212, 1231548, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02001  1036   NtSetInformationFile  (212, 1231536, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02002  1036   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02003  1036   NtWriteFile  (212, 181, 0, 0,  (212, 181, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02004  1036   NtReadFile  (212, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (212, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02005  1036   NtFsControlFile  (212, 181, 0x0, 0x0, 0x11c017,  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02006  1036   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02007  1036   NtFsControlFile  (212, 181, 0x0, 0x0, 0x11c017,  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 02008  1036   NtFsControlFile  (212, 181, 0x0, 0x0, 0x11c017,  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02009  1036   NtClose  (208, ... ) == 0x0
 02010  1036   NtClose  (212, ... ) == 0x0
 02011  1036   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02012  1036   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 02013  1036   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02014  1036   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02015  1036   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231464,  (0xc0100080, {24, 0, 0x40, 0, 1231464, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) == 0x0
 02016  1036   NtSetInformationFile  (208, 1231520, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02017  1036   NtSetInformationFile  (208, 1231508, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02018  1036   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02019  1036   NtWriteFile  (208, 181, 0, 0,  (208, 181, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02020  1036   NtReadFile  (208, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (208, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02021  1036   NtFsControlFile  (208, 181, 0x0, 0x0, 0x11c017,  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02022  1036   NtFsControlFile  (208, 181, 0x0, 0x0, 0x11c017,  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 02023  1036   NtFsControlFile  (208, 181, 0x0, 0x0, 0x11c017,  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02024  1036   NtClose  (212, ... ) == 0x0
 02025  1036   NtClose  (208, ... ) == 0x0
 02026  1036   NtOpenProcessToken  (-1, 0x20008, ... 208, ) == 0x0
 02027  1036   NtQueryInformationToken  (208, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02028  1036   NtQueryInformationToken  (208, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 02029  1036   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 212, ) }, ... 212, ) == 0x0
 02030  1036   NtUserOpenWindowStation  ({24, 212, 0x40, 0, 0,  ({24, 212, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0xd8
 02031  1036   NtClose  (212, ... ) == 0x0
 02032  1036   NtUserCloseWindowStation  (216, ...
 02033  1036   NtClose  (216, ... ) == 0x0
 02032  1036   NtUserCloseWindowStation  ... ) == 0x1
 02034  1036   NtClose  (208, ... ) == 0x0
 02035  1036   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 208, ) == 0x0
 02036  1036   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 216, ) == 0x0
 02037  1036   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 212, ) == 0x0
 02038  1036   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 220, ) == 0x0
 02039  1036   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 224, ) == 0x0
 02040  1036   NtMapViewOfSection  (224, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xbf0000), {0, 0}, 8192, ) == 0x0
 02041  1036   NtQueryDefaultUILanguage  (1232156, ...
 02042  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02043  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 02044  1036   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02045  1036   NtClose  (-2147482740, ... ) == 0x0
 02046  1036   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 02047  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 02049  1036   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050  1036   NtClose  (-2147481328, ... ) == 0x0
 02051  1036   NtClose  (-2147482740, ... ) == 0x0
 02041  1036   NtQueryDefaultUILanguage  ... ) == 0x0
 02052  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02053  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02054  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230400, ... ) }, 1230400, ... ) == 0x0
 02055  1036   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02056  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 02057  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02058  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02059  1036   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1231508,  (0x10100080, {24, 0, 0x40, 0, 1231508, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\c5c_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 02060  1036   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02061  1036   NtClose  (-2147482740, ... ) == 0x0
 02062  1036   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02063  1036   NtClose  (-2147482740, ... ) == 0x0
 02064  1036   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02065  1036   NtClose  (-2147482740, ... ) == 0x0
 02059  1036   NtCreateFile  ... 228, {status=0x0, info=2}, ) == 0x0
 02066  1036   NtClose  (228, ... ) == 0x0
 02067  1036   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 02068  1036   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02069  1036   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 228, {status=0x0, info=1}, ) }, 3, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02070  1036   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 232, ) }, ... 232, ) == 0x0
 02071  1036   NtQuerySymbolicLinkObject  (232, ...  (232, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 02072  1036   NtClose  (232, ... ) == 0x0
 02073  1036   NtQueryVolumeInformationFile  (228, 1230724, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02074  1036   NtClose  (228, ... ) == 0x0
 02075  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 02076  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02077  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 228, ... 232, ) == 0x0
 02078  1036   NtClose  (228, ... ) == 0x0
 02079  1036   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc00000), 0x0, 126976, ) == 0x0
 02080  1036   NtClose  (232, ... ) == 0x0
 02081  1036   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02082  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1229828, ... ) }, 1229828, ... ) == 0x0
 02083  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 02084  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 228, ) == 0x0
 02085  1036   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02086  1036   NtClose  (232, ... ) == 0x0
 02087  1036   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02088  1036   NtClose  (228, ... ) == 0x0
 02089  1036   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02090  1036   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02091  1036   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02092  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093  1036   NtAllocateVirtualMemory  (-1, 1392640, 0, 12288, 4096, 4, ... 1392640, 12288, ) == 0x0
 02094  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1231216, ... ) }, 1231216, ... ) == 0x0
 02095  1036   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1231224,  (0x40100080, {24, 0, 0x40, 0, 1231224, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\c5c_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02096  1036   NtClose  (-2147482740, ... ) == 0x0
 02097  1036   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02098  1036   NtClose  (-2147482740, ... ) == 0x0
 02099  1036   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02100  1036   NtClose  (-2147482740, ... ) == 0x0
 02101  1036   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02102  1036   NtClose  (-2147482740, ... ) == 0x0
 02095  1036   NtCreateFile  ... 228, {status=0x0, info=3}, ) == 0x0
 02103  1036   NtAllocateVirtualMemory  (-1, 1404928, 0, 12288, 4096, 4, ... 1404928, 12288, ) == 0x0
 02104  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02105  1036   NtQueryDirectoryFile  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1,  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02106  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 02107  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (228, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (228, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 02108  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 02109  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230308, ... ) }, 1230308, ... ) == 0x0
 02110  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02111  1036   NtQueryDirectoryFile  (236, 0, 0, 0, 1229920, 592, Directory, 1,  (236, 0, 0, 0, 1229920, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 02112  1036   NtClose  (236, ... ) == 0x0
 02113  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02114  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02115  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1228840, ... ) }, 1228840, ... ) == 0x0
 02116  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1227612, ... ) }, 1227612, ... ) == 0x0
 02117  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02118  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02119  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0
 02120  1036   NtQueryInformationFile  (236, 1230396, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02121  1036   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02122  1036   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc00000), 0x0, 262144, ) == 0x0
 02123  1036   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02124  1036   NtClose  (240, ... ) == 0x0
 02125  1036   NtClose  (236, ... ) == 0x0
 02126  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \02\06\00\00\09\06\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\09\02\0E\04\0B\0E\0B\0D\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\03\0B\06\00\0F\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\06\00\00\09\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 02127  1036   NtContinue  (-139616172, 0, ...
 02126  1036   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 02128  1036   NtQueryDirectoryFile  (232, 0, 0, 0, 1405864, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02129  1036   NtClose  (232, ... ) == 0x0
 02130  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 02131  1036   NtClose  (228, ... ) == 0x0
 02132  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1231216, ... ) }, 1231216, ... ) == 0x0
 02133  1036   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1231224,  (0x40100080, {24, 0, 0x40, 0, 1231224, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\c5c_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 228, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 228, {status=0x0, info=1}, ) == 0x0
 02134  1036   NtQueryInformationFile  (228, 1231248, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02135  1036   NtSetInformationFile  (228, 1231280, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02136  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02137  1036   NtQueryDirectoryFile  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1,  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02138  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 02139  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230280, ... ) }, 1230280, ... ) == 0x0
 02140  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02141  1036   NtQueryDirectoryFile  (236, 0, 0, 0, 1229920, 592, Directory, 1,  (236, 0, 0, 0, 1229920, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 02142  1036   NtClose  (236, ... ) == 0x0
 02143  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02144  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02145  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1228840, ... ) }, 1228840, ... ) == 0x0
 02146  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1227612, ... ) }, 1227612, ... ) == 0x0
 02147  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02148  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02149  1036   NtQueryDefaultLocale  (1, 1229800, ... ) == 0x0
 02150  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02151  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02152  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1228832, ... ) }, 1228832, ... ) == 0x0
 02153  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1227604, ... ) }, 1227604, ... ) == 0x0
 02154  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02155  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02156  1036   NtQueryDefaultLocale  (1, 1229792, ... ) == 0x0
 02157  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0
 02158  1036   NtQueryInformationFile  (236, 1230396, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02159  1036   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02160  1036   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc00000), 0x0, 987136, ) == 0x0
 02161  1036   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02162  1036   NtClose  (240, ... ) == 0x0
 02163  1036   NtClose  (236, ... ) == 0x0
 02164  1036   NtQueryDefaultUILanguage  (1229752, ...
 02165  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02166  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 02167  1036   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02168  1036   NtClose  (-2147482740, ... ) == 0x0
 02169  1036   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 02170  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171  1036   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 02172  1036   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173  1036   NtClose  (-2147481328, ... ) == 0x0
 02174  1036   NtClose  (-2147482740, ... ) == 0x0
 02164  1036   NtQueryDefaultUILanguage  ... ) == 0x0
 02175  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 02176  1036   NtQueryDirectoryFile  (232, 0, 0, 0, 1397160, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02177  1036   NtClose  (232, ... ) == 0x0
 02178  1036   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 02179  1036   NtClose  (228, ... ) == 0x0
 02180  1036   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 02181  1036   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02182  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228488, ... ) }, 1228488, ... ) == 0x0
 02183  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02184  1036   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02185  1036   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 228, ... 232, ) == 0x0
 02186  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 236, ) }, ... 236, ) == 0x0
 02188  1036   NtQueryValueKey  (236,  (236, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189  1036   NtClose  (236, ... ) == 0x0
 02190  1036   NtQueryVolumeInformationFile  (228, 1228500, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02191  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 02192  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 02193  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226432, ... ) }, 1226432, ... ) == 0x0
 02194  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02195  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 236, ... 240, ) == 0x0
 02196  1036   NtClose  (236, ... ) == 0x0
 02197  1036   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc00000), 0x0, 126976, ) == 0x0
 02198  1036   NtClose  (240, ... ) == 0x0
 02199  1036   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02200  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226740, ... ) }, 1226740, ... ) == 0x0
 02201  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02202  1036   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 236, ) == 0x0
 02203  1036   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02204  1036   NtClose  (240, ... ) == 0x0
 02205  1036   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02206  1036   NtClose  (236, ... ) == 0x0
 02207  1036   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02208  1036   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02209  1036   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02210  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0
 02212  1036   NtQueryInformationFile  (236, 1226756, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02213  1036   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02214  1036   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc00000), 0x0, 1191936, ) == 0x0
 02215  1036   NtQueryInformationFile  (236, 1226856, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02216  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217  1036   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02218  1036   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02219  1036   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02220  1036   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221  1036   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 244, ) }, ... 244, ) == 0x0
 02222  1036   NtQueryValueKey  (244,  (244, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (244, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02223  1036   NtClose  (244, ... ) == 0x0
 02224  1036   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02226  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224452, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224452, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02227  1036   NtClose  (244, ... ) == 0x0
 02228  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02229  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02230  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224828, ... ) }, 1224828, ... ) == 0x0
 02231  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02232  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02233  1036   NtClose  (244, ... ) == 0x0
 02234  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02235  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02236  1036   NtClose  (244, ... ) == 0x0
 02237  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02238  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02239  1036   NtClose  (244, ... ) == 0x0
 02240  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02241  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02242  1036   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02243  1036   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02245  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02246  1036   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02247  1036   NtClose  (244, ... ) == 0x0
 02248  1036   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02249  1036   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02250  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1225660, ... ) }, 1225660, ... ) == 0x0
 02251  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02252  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02253  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224528, ... ) }, 1224528, ... ) == 0x0
 02254  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02255  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 248, ) == 0x0
 02256  1036   NtClose  (244, ... ) == 0x0
 02257  1036   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd30000), 0x0, 180224, ) == 0x0
 02258  1036   NtClose  (248, ... ) == 0x0
 02259  1036   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02260  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224124, ... ) }, 1224124, ... ) == 0x0
 02261  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1224868,  (0x80100080, {24, 0, 0x40, 0, 1224868, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 02262  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 244, ) == 0x0
 02263  1036   NtClose  (248, ... ) == 0x0
 02264  1036   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xd30000), {0, 0}, 180224, ) == 0x0
 02265  1036   NtClose  (244, ... ) == 0x0
 02266  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02267  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02268  1036   NtQueryDefaultLocale  (1, 1225488, ... ) == 0x0
 02269  1036   NtQueryVirtualMemory  (-1, 0xd30000, Basic, 28, ... {BaseAddress=0xd30000,AllocationBase=0xd30000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02270  1036   NtQueryVirtualMemory  (-1, 0xd30000, Basic, 28, ... {BaseAddress=0xd30000,AllocationBase=0xd30000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02271  1036   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02272  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02273  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02274  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224520, ... ) }, 1224520, ... ) == 0x0
 02275  1036   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02276  1036   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 248, ) == 0x0
 02277  1036   NtClose  (244, ... ) == 0x0
 02278  1036   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd30000), 0x0, 180224, ) == 0x0
 02279  1036   NtClose  (248, ... ) == 0x0
 02280  1036   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02281  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224116, ... ) }, 1224116, ... ) == 0x0
 02282  1036   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1224860,  (0x80100080, {24, 0, 0x40, 0, 1224860, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 02283  1036   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 244, ) == 0x0
 02284  1036   NtClose  (248, ... ) == 0x0
 02285  1036   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xd30000), {0, 0}, 180224, ) == 0x0
 02286  1036   NtClose  (244, ... ) == 0x0
 02287  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02288  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02289  1036   NtQueryDefaultLocale  (1, 1225480, ... ) == 0x0
 02290  1036   NtQueryVirtualMemory  (-1, 0xd30000, Basic, 28, ... {BaseAddress=0xd30000,AllocationBase=0xd30000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02291  1036   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02292  1036   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02294  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02295  1036   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02296  1036   NtClose  (244, ... ) == 0x0
 02297  1036   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02299  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02300  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1226080, ... ) }, 1226080, ... ) == 0x0
 02301  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02302  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1,  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02303  1036   NtClose  (244, ... ) == 0x0
 02304  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02305  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1,  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02306  1036   NtClose  (244, ... ) == 0x0
 02307  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02308  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1,  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02309  1036   NtClose  (244, ... ) == 0x0
 02310  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02311  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02312  1036   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 02313  1036   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 02314  1036   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02315  1036   NtClose  (240, ... ) == 0x0
 02316  1036   NtClose  (236, ... ) == 0x0
 02317  1036   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02318  1036   NtOpenProcessToken  (-1, 0xa, ... 236, ) == 0x0
 02319  1036   NtQueryInformationToken  (236, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02320  1036   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02322  1036   NtQueryValueKey  (240,  (240, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (240, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02323  1036   NtQueryValueKey  (240,  (240, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (240, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02324  1036   NtClose  (240, ... ) == 0x0
 02325  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02326  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02327  1036   NtQueryValueKey  (240,  (240, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328  1036   NtClose  (240, ... ) == 0x0
 02329  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02330  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02331  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02332  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02333  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02334  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02335  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02336  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02337  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02338  1036   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02339  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 240, ) }, ... 240, ) == 0x0
 02340  1036   NtEnumerateKey  (240, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (240, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02341  1036   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 244, ) }, ... 244, ) == 0x0
 02342  1036   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02343  1036   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02344  1036   NtClose  (244, ... ) == 0x0
 02345  1036   NtEnumerateKey  (240, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02346  1036   NtClose  (240, ... ) == 0x0
 02347  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 240, ) }, ... 240, ) == 0x0
 02348  1036   NtEnumerateKey  (240, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02349  1036   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 244, ) }, ... 244, ) == 0x0
 02350  1036   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02351  1036   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02352  1036   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02353  1036   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02354  1036   NtClose  (244, ... ) == 0x0
 02355  1036   NtEnumerateKey  (240, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02356  1036   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 244, ) }, ... 244, ) == 0x0
 02357  1036   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02358  1036   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02359  1036   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02360  1036   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02361  1036   NtClose  (244, ... ) == 0x0
 02362  1036   NtEnumerateKey  (240, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02363  1036   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 244, ) }, ... 244, ) == 0x0
 02364  1036   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02365  1036   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02366  1036   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02367  1036   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02368  1036   NtClose  (244, ... ) == 0x0
 02369  1036   NtEnumerateKey  (240, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02370  1036   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 244, ) }, ... 244, ) == 0x0
 02371  1036   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02372  1036   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02373  1036   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02374  1036   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02375  1036   NtClose  (244, ... ) == 0x0
 02376  1036   NtEnumerateKey  (240, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02377  1036   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 244, ) }, ... 244, ) == 0x0
 02378  1036   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02379  1036   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02380  1036   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02381  1036   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02382  1036   NtClose  (244, ... ) == 0x0
 02383  1036   NtEnumerateKey  (240, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02384  1036   NtClose  (240, ... ) == 0x0
 02385  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02386  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02387  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02388  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02389  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02393  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02394  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02395  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02399  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02400  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02401  1036   NtClose  (240, ... ) == 0x0
 02402  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02404  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02405  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02406  1036   NtClose  (240, ... ) == 0x0
 02407  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02409  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02410  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02411  1036   NtClose  (240, ... ) == 0x0
 02412  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02414  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02415  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02416  1036   NtClose  (240, ... ) == 0x0
 02417  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02419  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02420  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02421  1036   NtClose  (240, ... ) == 0x0
 02422  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02423  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02424  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02425  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02426  1036   NtClose  (240, ... ) == 0x0
 02427  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02429  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02430  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02431  1036   NtClose  (240, ... ) == 0x0
 02432  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02434  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02435  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02436  1036   NtClose  (240, ... ) == 0x0
 02437  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02438  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02439  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02440  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02441  1036   NtClose  (240, ... ) == 0x0
 02442  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02444  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02445  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02446  1036   NtClose  (240, ... ) == 0x0
 02447  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02448  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02449  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02450  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02451  1036   NtClose  (240, ... ) == 0x0
 02452  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02453  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02454  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02455  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02456  1036   NtClose  (240, ... ) == 0x0
 02457  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02458  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02459  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02460  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02461  1036   NtClose  (240, ... ) == 0x0
 02462  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02463  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02464  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02465  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02466  1036   NtClose  (240, ... ) == 0x0
 02467  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02468  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02469  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02470  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02471  1036   NtClose  (240, ... ) == 0x0
 02472  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02473  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02474  1036   NtQueryValueKey  (240,  (240, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (240, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (240, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02475  1036   NtClose  (240, ... ) == 0x0
 02476  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02477  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02478  1036   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02479  1036   NtClose  (240, ... ) == 0x0
 02480  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02481  1036   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02482  1036   NtOpenProcessToken  (-1, 0xa, ... 240, ) == 0x0
 02483  1036   NtDuplicateToken  (240, 0xc, {24, 0, 0x0, 0, 1228360, 0x0}, 0, 2, ... 244, ) == 0x0
 02484  1036   NtClose  (240, ... ) == 0x0
 02485  1036   NtAccessCheck  (1379992, 244, 0x1, 1228436, 1228488, 56, 1228468, ... (0x1), ) == 0x0
 02486  1036   NtClose  (244, ... ) == 0x0
 02487  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 244, ) }, ... 244, ) == 0x0
 02488  1036   NtQueryValueKey  (244,  (244, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (244, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02489  1036   NtClose  (244, ... ) == 0x0
 02490  1036   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 244, ) }, ... 244, ) == 0x0
 02491  1036   NtQuerySymbolicLinkObject  (244, ...  (244, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02492  1036   NtClose  (244, ... ) == 0x0
 02493  1036   NtQueryVolumeInformationFile  (228, 1226192, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02494  1036   NtQueryInformationFile  (228, 1226308, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 02495  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02496  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02497  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1225480, ... ) }, 1225480, ... ) == 0x0
 02498  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02499  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02500  1036   NtClose  (244, ... ) == 0x0
 02501  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02502  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02503  1036   NtClose  (244, ... ) == 0x0
 02504  1036   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02505  1036   NtQueryDirectoryFile  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02506  1036   NtClose  (244, ... ) == 0x0
 02507  1036   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02508  1036   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02509  1036   NtQueryInformationFile  (228, 1228348, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02510  1036   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 228, ... 244, ) == 0x0
 02511  1036   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xc00000), {0, 0}, 180224, ) == 0x0
 02512  1036   NtClose  (244, ... ) == 0x0
 02513  1036   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02514  1036   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02515  1036   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02516  1036   NtClose  (244, ... ) == 0x0
 02517  1036   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 244, ) }, ... 244, ) == 0x0
 02518  1036   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 240, ) }, ... 240, ) == 0x0
 02519  1036   NtClose  (244, ... ) == 0x0
 02520  1036   NtQueryValueKey  (240,  (240, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02521  1036   NtQueryValueKey  (240,  (240, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (240, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02522  1036   NtClose  (240, ... ) == 0x0
 02523  1036   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02524  1036   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 12582912, 4096, ) == 0x0
 02525  1036   NtAllocateVirtualMemory  (-1, 12582912, 0, 4096, 4096, 4, ... 12582912, 4096, ) == 0x0
 02526  1036   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02527  1036   NtQueryValueKey  (240,  (240, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528  1036   NtClose  (240, ... ) == 0x0
 02529  1036   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530  1036   NtQueryInformationToken  (236, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02531  1036   NtQueryInformationToken  (236, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02532  1036   NtClose  (236, ... ) == 0x0
 02533  1036   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02534  1036   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02535  1036   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02536  1036   NtCreateProcessEx  (1230272, 2035711, 0, -1, 4, 232, 0, 0, 0, ... ) == 0x0
 02537  1036   NtSetInformationProcess  (236, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 02538  1036   NtSetInformationProcess  (236, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02539  1036   NtQueryInformationProcess  (236, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdc000,AffinityMask=0x1,BasePriority=8,Pid=1580,ParentPid=1248,}, 0x0, ) == 0x0
 02540  1036   NtReadVirtualMemory  (236, 0x7ffdc008, 4, ...  (236, 0x7ffdc008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 02541  1036   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02542  1036   NtReadVirtualMemory  (236, 0x30000000, 4096, ...  (236, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 02543  1036   NtReadVirtualMemory  (236, 0x30033000, 256, ...  (236, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 02544  1036   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02545  1036   NtQueryInformationProcess  (236, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdc000,AffinityMask=0x1,BasePriority=8,Pid=1580,ParentPid=1248,}, 0x0, ) == 0x0
 02546  1036   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02547  1036   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 12648448, 4096, ) == 0x0
 02548  1036   NtAllocateVirtualMemory  (236, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02549  1036   NtWriteVirtualMemory  (236, 0x10000,  (236, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02550  1036   NtAllocateVirtualMemory  (236, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 02551  1036   NtWriteVirtualMemory  (236, 0x20000,  (236, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 02552  1036   NtWriteVirtualMemory  (236, 0x7ffdc010,  (236, 0x7ffdc010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02553  1036   NtAllocateVirtualMemory  (236, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 02554  1036   NtWriteVirtualMemory  (236, 0x30000,  (236, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 02555  1036   NtWriteVirtualMemory  (236, 0x7ffdc1e8,  (236, 0x7ffdc1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02556  1036   NtFreeVirtualMemory  (-1, (0xc10000), 0, 32768, ... (0xc10000), 4096, ) == 0x0
 02557  1036   NtAllocateVirtualMemory  (236, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 02558  1036   NtAllocateVirtualMemory  (236, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 02559  1036   NtProtectVirtualMemory  (236, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 02560  1036   NtCreateThread  (0x1f03ff, 0x0, 236, 1230280, 1229944, 1, ... 240, {1580, 1756}, ) == 0x0
 02561  1036   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\357\0\0\0\360\0\0\0,\6\0\0\334\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\375\177\0\0\0\0\0\0\25\0\10 \0\0" ... {168, 196, reply, 0, 1248, 1036, 57982, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\354\0\0\0\360\0\0\0,\6\0\0\334\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\375\177\0\0\0\0\0\0\25\0\10 \0\0" )  ... {168, 196, reply, 0, 1248, 1036, 57982, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\357\0\0\0\360\0\0\0,\6\0\0\334\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\375\177\0\0\0\0\0\0\25\0\10 \0\0" ... {168, 196, reply, 0, 1248, 1036, 57982, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\354\0\0\0\360\0\0\0,\6\0\0\334\6\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\375\177\0\0\0\0\0\0\25\0\10 \0\0" )  ) == 0x0
 02562  1036   NtResumeThread  (240, ... 1, ) == 0x0
 02563  1036   NtClose  (228, ... ) == 0x0
 02564  1036   NtClose  (232, ... ) == 0x0
 02565  1036   NtClose  (240, ... ) == 0x0
 02566  1036   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02567  1036   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x102
 02568  1036   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02569  1036   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x102
 02570  1036   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02571  1036   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x102
 02572  1036   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02573  1036   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 02574  1036   NtClose  (236, ... ) == 0x0
 02575  1036   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 02576  1036   NtClose  (224, ... ) == 0x0
 02577  1036   NtClose  (208, ... ) == 0x0
 02578  1036   NtClose  (216, ... ) == 0x0
 02579  1036   NtClose  (212, ... ) == 0x0
 02580  1036   NtClose  (220, ... ) == 0x0
 02581  1036   NtClose  (164, ... ) == 0x0
 02582  1036   NtClose  (168, ... ) == 0x0
 02583  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02584  1036   NtWaitForMultipleObjects  (2, (132, 136, ), 1, 0, 0x0, ... ) == 0x1
 02585  1036   NtClose  (136, ... ) == 0x0
 02586  1036   NtSetEvent  (132, ... 0x0, ) == 0x0
 02587  1036   NtClose  (132, ... ) == 0x0
 02588  1036   NtWaitForMultipleObjects  (2, (140, 144, ), 1, 0, 0x0, ... ) == 0x1
 02589  1036   NtClose  (144, ... ) == 0x0
 02590  1036   NtSetEvent  (140, ... 0x0, ) == 0x0
 02591  1036   NtClose  (140, ... ) == 0x0
 02592  1036   NtWaitForMultipleObjects  (2, (148, 152, ), 1, 0, 0x0, ... ) == 0x1
 02593  1036   NtClose  (152, ... ) == 0x0
 02594  1036   NtSetEvent  (148, ... 0x0, ) == 0x0
 02595  1036   NtClose  (148, ... ) == 0x0
 02596  1036   NtRequestWaitReplyPort  (192, {88, 112, new_msg, 0, 1248, 1036, 57980, 0}  (192, {88, 112, new_msg, 0, 1248, 1036, 57980, 0} "\1\31\0\0A\2<\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0" ... {124, 148, reply, 0, 1248, 1036, 58114, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ... {124, 148, reply, 0, 1248, 1036, 58114, 0}  (192, {88, 112, new_msg, 0, 1248, 1036, 57980, 0} "\1\31\0\0A\2<\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0" ... {124, 148, reply, 0, 1248, 1036, 58114, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ) == 0x0
 02597  1036   NtClose  (188, ... ) == 0x0
 02598  1036   NtClose  (192, ... ) == 0x0
 02599  1036   NtClose  (128, ... ) == 0x0
 02600  1036   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 02601  1036   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 02602  1036   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 02603  1036   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 02604  1036   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 02605  1036   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 02606  1036   NtContinue  (1239608, 0, ...
 02607  1036   NtTerminateProcess  (0, -1073741680, ... ) == 0x0
 02608  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02609  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 02610  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 02611  1036   NtClose  (156, ... ) == 0x0
 02612  1036   NtUserPostThreadMessage  (1748, 49315, 0, 1036, ... ) == 0x1
 02613  1036   NtUserPostThreadMessage  (416, 49315, 0, 1036, ... ) == 0x1
 02614  1036   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02615  1036   NtUserUnhookWindowsHookEx  (721527, ... ) == 0x1
 02616  1036   NtUserUnhookWindowsHookEx  (393695, ... ) == 0x1
 02617  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02618  1036   NtUnmapViewOfSection  (-1, 0xba0000, ... ) == 0x0
 02619  1036   NtClose  (116, ... ) == 0x0
 02620  1036   NtClose  (112, ... ) == 0x0
 02621  1036   NtClose  (92, ... ) == 0x0
 02622  1036   NtClose  (96, ... ) == 0x0
 02623  1036   NtClose  (100, ... ) == 0x0
 02624  1036   NtClose  (104, ... ) == 0x0
 02625  1036   NtClose  (108, ... ) == 0x0
 02626  1036   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 02627  1036   NtClose  (88, ... ) == 0x0
 02628  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02629  1036   NtUserGetProcessWindowStation  (... ) == 0x1c
 02630  1036   NtUserBuildNameList  (28, 522, 1414064, 1244228, ... ) == 0x0
 02631  1036   NtUserGetProcessWindowStation  (... ) == 0x1c
 02632  1036   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x58
 02633  1036   NtUserBuildHwndList  (88, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0xa0102, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x90114, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 54, ) == 0x0
 02634  1036   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02635  1036   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 02636  1036   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 02637  1036   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02638  1036   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02639  1036   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 02640  1036   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 02641  1036   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02642  1036   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 02643  1036   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 02644  1036   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 02645  1036   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 02646  1036   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 02647  1036   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 02648  1036   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 02649  1036   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 02650  1036   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 02651  1036   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 02652  1036   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 02653  1036   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 02654  1036   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 02655  1036   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 02656  1036   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 02657  1036   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 02658  1036   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 02659  1036   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 02660  1036   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 02661  1036   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 02662  1036   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 02663  1036   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 02664  1036   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 02665  1036   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 02666  1036   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 02667  1036   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 02668  1036   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 02669  1036   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 02670  1036   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 02671  1036   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 02672  1036   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 02673  1036   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 02674  1036   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 02675  1036   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 02676  1036   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 02677  1036   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 02678  1036   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 02679  1036   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02680  1036   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 02681  1036   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 02682  1036   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02683  1036   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02684  1036   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 02685  1036   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 02686  1036   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02687  1036   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02688  1036   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 02689  1036   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 02690  1036   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02691  1036   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02692  1036   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 02693  1036   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 02694  1036   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02695  1036   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02696  1036   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 02697  1036   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 02698  1036   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02699  1036   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02700  1036   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 02701  1036   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 02702  1036   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02703  1036   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02704  1036   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 02705  1036   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 02706  1036   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02707  1036   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 02708  1036   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 02709  1036   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 02710  1036   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 02711  1036   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 02712  1036   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 02713  1036   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 02714  1036   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 02715  1036   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 02716  1036   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 02717  1036   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 02718  1036   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 02719  1036   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 02720  1036   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 02721  1036   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 02722  1036   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 02723  1036   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 02724  1036   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 02725  1036   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 02726  1036   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 02727  1036   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 02728  1036   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 02729  1036   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 02730  1036   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 02731  1036   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 02732  1036   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 02733  1036   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 02734  1036   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 02735  1036   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 02736  1036   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 02737  1036   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 02738  1036   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02739  1036   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 02740  1036   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 02741  1036   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02742  1036   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02743  1036   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 02744  1036   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 02745  1036   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02746  1036   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02747  1036   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 02748  1036   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 02749  1036   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02750  1036   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02751  1036   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 02752  1036   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 02753  1036   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02754  1036   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02755  1036   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 02756  1036   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 02757  1036   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02758  1036   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02759  1036   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 02760  1036   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 02761  1036   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02762  1036   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02763  1036   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 02764  1036   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 02765  1036   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02766  1036   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 02767  1036   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02768  1036   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 02769  1036   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 02770  1036   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02771  1036   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02772  1036   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 02773  1036   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 02774  1036   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02775  1036   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02776  1036   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 02777  1036   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 02778  1036   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02779  1036   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02780  1036   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 02781  1036   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 02782  1036   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02783  1036   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02784  1036   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 02785  1036   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 02786  1036   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02787  1036   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02788  1036   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 02789  1036   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 02790  1036   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02791  1036   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 02792  1036   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 02793  1036   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 02794  1036   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 02795  1036   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 02796  1036   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 02797  1036   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 02798  1036   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 02799  1036   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 02800  1036   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 02801  1036   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 02802  1036   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 02803  1036   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 02804  1036   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02805  1036   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 02806  1036   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 02807  1036   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02808  1036   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02809  1036   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 02810  1036   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 02811  1036   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02812  1036   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02813  1036   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 02814  1036   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 02815  1036   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02816  1036   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02817  1036   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 02818  1036   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 02819  1036   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02820  1036   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02821  1036   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 02822  1036   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 02823  1036   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02824  1036   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02825  1036   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 02826  1036   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 02827  1036   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02828  1036   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02829  1036   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 02830  1036   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 02831  1036   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02832  1036   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02833  1036   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 02834  1036   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 02835  1036   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02836  1036   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02837  1036   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 02838  1036   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 02839  1036   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02840  1036   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02841  1036   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 02842  1036   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 02843  1036   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02844  1036   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02845  1036   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 02846  1036   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 02847  1036   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02848  1036   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02849  1036   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 02850  1036   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 02851  1036   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02852  1036   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02853  1036   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 02854  1036   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 02855  1036   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02856  1036   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02857  1036   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 02858  1036   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 02859  1036   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02860  1036   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02861  1036   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02862  1036   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02863  1036   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02864  1036   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 02865  1036   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 02866  1036   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 02867  1036   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 02868  1036   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 02869  1036   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 02870  1036   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 02871  1036   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02872  1036   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 02873  1036   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 02874  1036   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02875  1036   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02876  1036   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 02877  1036   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 02878  1036   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02879  1036   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02880  1036   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 02881  1036   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 02882  1036   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02883  1036   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02884  1036   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 02885  1036   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 02886  1036   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02887  1036   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02888  1036   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 02889  1036   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 02890  1036   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02891  1036   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02892  1036   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 02893  1036   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 02894  1036   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02895  1036   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02896  1036   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02897  1036   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02898  1036   NtUserRemoveProp  (590100, 43288, ... ) == 0xffffffff
 02899  1036   NtUserRemoveProp  (590100, 43282, ... ) == 0x0
 02900  1036   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02901  1036   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02902  1036   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02903  1036   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 02904  1036   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 02905  1036   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02906  1036   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02907  1036   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 02908  1036   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 02909  1036   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02910  1036   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02911  1036   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 02912  1036   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 02913  1036   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02914  1036   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02915  1036   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 02916  1036   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 02917  1036   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02918  1036   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02919  1036   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 02920  1036   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 02921  1036   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02922  1036   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02923  1036   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 02924  1036   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 02925  1036   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02926  1036   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02927  1036   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 02928  1036   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 02929  1036   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02930  1036   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02931  1036   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 02932  1036   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 02933  1036   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02934  1036   NtUserCloseDesktop  (88, ... ) == 0x1
 02935  1036   NtUserGetProcessWindowStation  (... ) == 0x1c
 02936  1036   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02937  1036   NtUserGetProcessWindowStation  (... ) == 0x1c
 02938  1036   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02939  1036   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 02940  1036   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 02941  1036   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 02942  1036   NtClose  (60, ... ) == 0x0
 02943  1036   NtClose  (52, ... ) == 0x0
 02944  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02945  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02946  1036   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02947  1036   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 52, ) }, ... 52, ) == 0x0
 02948  1036   NtQueryValueKey  (52,  (52, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02949  1036   NtClose  (52, ... ) == 0x0
 02950  1036   NtClose  (44, ... ) == 0x0
 02951  1036   NtFreeVirtualMemory  (-1, (0xc00000), 4096, 32768, ... (0xc00000), 4096, ) == 0x0
 02952  1036   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02953  1036   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02954  1036   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02955  1036   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2011664592, 1178048, 1178452, 1178016}  (24, {20, 48, new_msg, 0, 2011664592, 1178048, 1178452, 1178016} "\0\0\0\0\3\0\1\0X\35\336w\234\375\21\0\220\0\0\300" ... {20, 48, reply, 0, 1248, 1036, 58117, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\234\375\21\0\220\0\0\300" )  ... {20, 48, reply, 0, 1248, 1036, 58117, 0}  (24, {20, 48, new_msg, 0, 2011664592, 1178048, 1178452, 1178016} "\0\0\0\0\3\0\1\0X\35\336w\234\375\21\0\220\0\0\300" ... {20, 48, reply, 0, 1248, 1036, 58117, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\234\375\21\0\220\0\0\300" )  ) == 0x0
 02956  1036   NtTerminateProcess  (-1, -1073741680, ...
NtCallbackReturn(>)	1	NtUserGetImeInfoEx(>)	1	NtUserGetObjectInformation(>)	4	NtDeviceIoControlFile(>)	16
NtCreateProcessEx(>)	1	NtUserOpenWindowStation(>)	1	NtUserMessageCall(>)	4	NtCreateEvent(>)	17
NtCreateSemaphore(>)	1	NtUserSetCursor(>)	1	NtUserRemoveProp(>)	4	NtRequestWaitReplyPort(>)	18
NtCreateThread(>)	1	NtUserSetProp(>)	1	NtDuplicateObject(>)	5	NtWaitForSingleObject(>)	18
NtGdiCreateBitmap(>)	1	NtUserSetWindowLong(>)	1	NtGdiGetStockObject(>)	5	NtUserCallOneParam(>)	20
NtGdiCreatePatternBrushInternal(>)	1	NtUserUpdateInputContext(>)	1	NtReadFile(>)	5	NtQuerySection(>)	21
NtGdiGetTextCharsetInfo(>)	1	NtAccessCheck(>)	2	NtSetInformationFile(>)	5	NtQueryDirectoryFile(>)	24
NtGdiGetTextFaceW(>)	1	NtConnectPort(>)	2	NtUserBuildHwndList(>)	5	NtCreateFile(>)	26
NtGdiGetTextMetricsW(>)	1	NtCreateIoCompletion(>)	2	NtWriteVirtualMemory(>)	5	NtOpenSection(>)	27
NtGdiGetWidthTable(>)	1	NtDuplicateToken(>)	2	NtUserGetProcessWindowStation(>)	6	NtQueryDebugFilterState(>)	29
NtGdiInit(>)	1	NtGdiCreateSolidBrush(>)	2	NtFsControlFile(>)	7	NtOpenProcessTokenEx(>)	36
NtGdiQueryFontAssocInfo(>)	1	NtNotifyChangeKey(>)	2	NtQueryInformationFile(>)	7	NtOpenThreadTokenEx(>)	36
NtGdiSelectBitmap(>)	1	NtQueryInformationJobObject(>)	2	NtUserGetDC(>)	7	NtQueryVirtualMemory(>)	39
NtLockVirtualMemory(>)	1	NtQueryPerformanceCounter(>)	2	NtWaitForMultipleObjects(>)	7	NtQueryInformationToken(>)	47
NtOpenEvent(>)	1	NtTerminateProcess(>)	2	NtEnumerateKey(>)	8	NtSetInformationProcess(>)	49
NtOpenKeyedEvent(>)	1	NtUserCloseWindowStation(>)	2	NtOpenProcessToken(>)	8	NtQueryDefaultLocale(>)	60
NtOpenMutant(>)	1	NtUserPostThreadMessage(>)	2	NtOpenThreadToken(>)	8	NtQueryInformationProcess(>)	64
NtQueryInstallUILanguage(>)	1	NtUserSetWindowFNID(>)	2	NtQueryDefaultUILanguage(>)	8	NtUnmapViewOfSection(>)	64
NtQueryObject(>)	1	NtUserSetWindowsHookEx(>)	2	NtSetValueKey(>)	8	NtCreateSection(>)	69
NtQuerySystemTime(>)	1	NtUserUnhookWindowsHookEx(>)	2	NtUserSystemParametersInfo(>)	8	NtOpenFile(>)	70
NtRegisterThreadTerminatePort(>)	1	NtGdiHfontCreate(>)	3	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	77
NtResumeThread(>)	1	NtOpenDirectoryObject(>)	3	NtCreateMutant(>)	10	NtQuerySystemInformation(>)	78
NtSecureConnectPort(>)	1	NtOpenSymbolicLinkObject(>)	3	NtCreateKey(>)	11	NtMapViewOfSection(>)	88
NtTestAlert(>)	1	NtQuerySymbolicLinkObject(>)	3	NtFreeVirtualMemory(>)	11	NtQueryAttributesFile(>)	99
NtUserBuildNameList(>)	1	NtReadVirtualMemory(>)	3	NtUserFindExistingCursorIcon(>)	11	NtFlushInstructionCache(>)	121
NtUserCallHwndParam(>)	1	NtSetEvent(>)	3	NtWriteFile(>)	11	NtUserValidateHandleSecure(>)	139
NtUserCloseDesktop(>)	1	NtSetInformationObject(>)	3	NtReleaseMutant(>)	12	NtUserQueryWindow(>)	160
NtUserCreateWindowEx(>)	1	NtUserGetThreadDesktop(>)	3	NtUserGetWindowDC(>)	12	NtOpenKey(>)	222
NtUserGetAtomName(>)	1	NtUserOpenDesktop(>)	3	NtUserRegisterWindowMessage(>)	13	NtProtectVirtualMemory(>)	243
NtUserGetClassName(>)	1	NtGdiCreateCompatibleDC(>)	4	NtContinue(>)	15	NtQueryValueKey(>)	243
NtUserGetForegroundWindow(>)	1	NtGdiDeleteObjectApp(>)	4	NtSetInformationThread(>)	15	NtClose(>)	384
NtUserGetGUIThreadInfo(>)	1	NtQueryVolumeInformationFile(>)	4	NtUserRegisterClassExWOW(>)	15