Summary:


NtCallbackReturn(>)  1 
NtUserGetImeInfoEx(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtDeviceIoControlFile(>)  16 

NtCreateProcessEx(>)  1 
NtUserOpenWindowStation(>)  1 
NtUserGetObjectInformation(>)  4 
NtCreateEvent(>)  17 

NtCreateSemaphore(>)  1 
NtUserSetCursor(>)  1 
NtUserMessageCall(>)  4 
NtRequestWaitReplyPort(>)  18 

NtCreateThread(>)  1 
NtUserSetProp(>)  1 
NtUserRemoveProp(>)  4 
NtWaitForSingleObject(>)  18 

NtGdiCreateBitmap(>)  1 
NtUserSetWindowLong(>)  1 
NtDuplicateObject(>)  5 
NtUserCallOneParam(>)  20 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserUpdateInputContext(>)  1 
NtGdiGetStockObject(>)  5 
NtQuerySection(>)  21 

NtGdiGetTextCharsetInfo(>)  1 
NtAccessCheck(>)  2 
NtSetInformationFile(>)  5 
NtQueryDirectoryFile(>)  24 

NtGdiGetTextFaceW(>)  1 
NtConnectPort(>)  2 
NtUserBuildHwndList(>)  5 
NtCreateFile(>)  26 

NtGdiGetTextMetricsW(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteVirtualMemory(>)  5 
NtOpenSection(>)  27 

NtGdiGetWidthTable(>)  1 
NtDuplicateToken(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtQueryDebugFilterState(>)  29 

NtGdiInit(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFsControlFile(>)  7 
NtOpenProcessTokenEx(>)  36 

NtGdiQueryFontAssocInfo(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryInformationFile(>)  7 
NtOpenThreadTokenEx(>)  36 

NtGdiSelectBitmap(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserGetDC(>)  7 
NtQueryVirtualMemory(>)  39 

NtLockVirtualMemory(>)  1 
NtQueryPerformanceCounter(>)  2 
NtWaitForMultipleObjects(>)  7 
NtQueryInformationToken(>)  47 

NtOpenEvent(>)  1 
NtReadFile(>)  2 
NtEnumerateKey(>)  8 
NtSetInformationProcess(>)  49 

NtOpenKeyedEvent(>)  1 
NtTerminateProcess(>)  2 
NtOpenProcessToken(>)  8 
NtQueryDefaultLocale(>)  60 

NtOpenMutant(>)  1 
NtUserCloseWindowStation(>)  2 
NtOpenThreadToken(>)  8 
NtQueryInformationProcess(>)  64 

NtQueryInstallUILanguage(>)  1 
NtUserPostThreadMessage(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUnmapViewOfSection(>)  64 

NtQueryObject(>)  1 
NtUserSetWindowFNID(>)  2 
NtSetValueKey(>)  8 
NtCreateSection(>)  69 

NtQuerySystemTime(>)  1 
NtUserSetWindowsHookEx(>)  2 
NtUserSystemParametersInfo(>)  8 
NtOpenFile(>)  69 

NtRegisterThreadTerminatePort(>)  1 
NtUserUnhookWindowsHookEx(>)  2 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  77 

NtResumeThread(>)  1 
NtGdiHfontCreate(>)  3 
NtCreateMutant(>)  10 
NtQuerySystemInformation(>)  78 

NtSecureConnectPort(>)  1 
NtOpenDirectoryObject(>)  3 
NtCreateKey(>)  11 
NtMapViewOfSection(>)  88 

NtTestAlert(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtFreeVirtualMemory(>)  11 
NtQueryAttributesFile(>)  99 

NtUserBuildNameList(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserFindExistingCursorIcon(>)  11 
NtFlushInstructionCache(>)  121 

NtUserCallHwndParam(>)  1 
NtReadVirtualMemory(>)  3 
NtWriteFile(>)  11 
NtUserValidateHandleSecure(>)  139 

NtUserCloseDesktop(>)  1 
NtSetEvent(>)  3 
NtReleaseMutant(>)  12 
NtUserQueryWindow(>)  160 

NtUserCreateWindowEx(>)  1 
NtSetInformationObject(>)  3 
NtUserGetWindowDC(>)  12 
NtOpenKey(>)  222 

NtUserGetAtomName(>)  1 
NtUserGetThreadDesktop(>)  3 
NtUserRegisterWindowMessage(>)  13 
NtProtectVirtualMemory(>)  243 

NtUserGetClassName(>)  1 
NtUserOpenDesktop(>)  3 
NtContinue(>)  15 
NtQueryValueKey(>)  243 

NtUserGetForegroundWindow(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtSetInformationThread(>)  15 
NtClose(>)  383 

NtUserGetGUIThreadInfo(>)  1 
NtGdiDeleteObjectApp(>)  4 
NtUserRegisterClassExWOW(>)  15 

Trace:
 00001   748   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   748   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   748   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   748   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   748   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   748   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   748   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   748   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   748   NtClose  (12, ... ) == 0x0
 00015   748   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   748   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   748   NtClose  (16, ... ) == 0x0
 00021   748   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   748   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   748   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   748   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   748   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   748   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   748   NtClose  (16, ... ) == 0x0
 00030   748   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   748   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   748   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   748   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 484, 748, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 484, 748, 57957, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 484, 748, 57957, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   748   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   748   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   748   NtClose  (16, ... ) == 0x0
 00041   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   748   NtClose  (16, ... ) == 0x0
 00044   748   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   748   NtClose  (16, ... ) == 0x0
 00048   748   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   748   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   748   NtClose  (16, ... ) == 0x0
 00052   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   748   NtClose  (16, ... ) == 0x0
 00055   748   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   748   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   748   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 484, 748, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 484, 748, 57958, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 484, 748, 57958, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 484, 748, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 484, 748, 57959, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 484, 748, 57959, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 128, ) == 0x0
 00062   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 128, ... (0x46b000), 151552, 4, ) == 0x0
 00063   748   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00064   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065   748   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067   748   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ws2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ws2_32.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071   748   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072   748   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073   748   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074   748   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076   748   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   748   NtClose  (36, ... ) == 0x0
 00078   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080   748   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   748   NtClose  (36, ... ) == 0x0
 00082   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   748   NtClose  (32, ... ) == 0x0
 00084   748   NtClose  (16, ... ) == 0x0
 00085   748   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086   748   NtClose  (28, ... ) == 0x0
 00087   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   748   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089   748   NtClose  (28, ... ) == 0x0
 00090   748   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091   748   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092   748   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095   748   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101   748   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102   748   NtClose  (28, ... ) == 0x0
 00103   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104   748   NtClose  (16, ... ) == 0x0
 00105   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107   748   NtClose  (16, ... ) == 0x0
 00108   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110   748   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113   748   NtClose  (16, ... ) == 0x0
 00114   748   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115   748   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116   748   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117   748   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118   748   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119   748   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120   748   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121   748   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122   748   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125   748   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126   748   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127   748   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128   748   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131   748   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 64, ) == 0x0
 00133   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 64, ... (0x46b000), 151552, 4, ) == 0x0
 00134   748   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00135   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00136   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00137   748   NtClose  (16, ... ) == 0x0
 00138   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00139   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00140   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00141   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00142   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00143   748   NtClose  (16, ... ) == 0x0
 00144   748   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00145   748   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00146   748   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00147   748   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00148   748   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00149   748   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00150   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00151   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00152   748   NtClose  (16, ... ) == 0x0
 00153   748   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00154   748   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00155   748   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00156   748   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00157   748   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00158   748   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00159   748   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00160   748   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00161   748   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00162   748   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00163   748   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00164   748   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00165   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00166   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00167   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00168   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00169   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00170   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00171   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00172   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00173   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00174   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00175   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00176   748   NtClose  (16, ... ) == 0x0
 00177   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00178   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00179   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00180   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00181   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00182   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00183   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00184   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00185   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00186   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00187   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00188   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00189   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00190   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00191   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00192   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00193   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00194   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00195   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00196   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00197   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00198   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00199   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00200   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00201   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00202   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00203   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00204   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00205   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00206   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00207   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 64, ) == 0x0
 00208   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 64, ... (0x46b000), 151552, 4, ) == 0x0
 00209   748   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00210   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 4, ... (0x46b000), 151552, 64, ) == 0x0
 00211   748   NtProtectVirtualMemory  (-1, (0x46b000), 151552, 64, ... (0x46b000), 151552, 4, ) == 0x0
 00212   748   NtFlushInstructionCache  (-1, 4632576, 151552, ... ) == 0x0
 00213   748   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00214   748   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00215   748   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00216   748   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00217   748   NtClose  (16, ... ) == 0x0
 00218   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00219   748   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00220   748   NtClose  (16, ... ) == 0x0
 00221   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00223   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00224   748   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00225   748   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00226   748   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00227   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00228   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00229   748   NtClose  (16, ... ) == 0x0
 00230   748   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00231   748   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00232   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00233   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00234   748   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00235   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00238   748   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00239   748   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00240   748   NtClose  (16, ... ) == 0x0
 00241   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00242   748   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   748   NtClose  (16, ... ) == 0x0
 00244   748   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00245   748   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00246   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00247   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00250   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00251   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00253   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 484, 748, 57960, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 484, 748, 57960, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 484, 748, 57960, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00254   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00255   748   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00256   748   NtClose  (28, ... ) == 0x0
 00257   748   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00258   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00259   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00260   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00261   748   NtClose  (28, ... ) == 0x0
 00262   748   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00263   748   NtClose  (32, ... ) == 0x0
 00264   748   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00265   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00266   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00267   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00268   748   NtClose  (32, ... ) == 0x0
 00269   748   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00270   748   NtClose  (28, ... ) == 0x0
 00271   748   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00272   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00273   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00274   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00275   748   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00276   748   NtClose  (28, ... ) == 0x0
 00277   748   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00278   748   NtClose  (32, ... ) == 0x0
 00279   748   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00280   748   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00281   748   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00282   748   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00283   748   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00284   748   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00285   748   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00286   748   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00287   748   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00288   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00290   748   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00291   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00292   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00298   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00300   748   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   748   NtClose  (32, ... ) == 0x0
 00302   748   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x570000), 0x0, 1060864, ) == 0x0
 00303   748   NtClose  (-2147482740, ... ) == 0x0
 00304   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00305   748   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00306   748   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00307   748   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00308   748   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00309   748   NtClose  (-2147482740, ... ) == 0x0
 00310   748   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00311   748   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00312   748   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00313   748   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00314   748   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   748   NtClose  (-2147482740, ... ) == 0x0
 00316   748   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00317   748   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   748   NtClose  (-2147482740, ... ) == 0x0
 00319   748   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00320   748   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00321   748   NtUserCallNoParam  (24, ... ) == 0x0
 00322   748   NtGdiCreateCompatibleDC  (0, ...
 00323   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00322   748   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00324   748   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00325   748   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00326   748   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00327   748   NtGdiCreateSolidBrush  (0, 0, ...
 00328   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00327   748   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00329   748   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00330   748   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00331   748   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00332   748   NtUserGetThreadDesktop  (748, 0, ... ) == 0x24
 00333   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00334   748   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00335   748   NtClose  (44, ... ) == 0x0
 00336   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00337   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8178c017
 00338   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00339   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8178c01c
 00340   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00341   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8178c01e
 00342   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00343   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81788002
 00344   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00345   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8178c018
 00346   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00347   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8178c01a
 00348   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00349   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8178c01d
 00350   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00351   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8178c026
 00352   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00353   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8178c019
 00354   748   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8178c020
 00355   748   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8178c022
 00356   748   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8178c023
 00357   748   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8178c024
 00358   748   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8178c025
 00359   748   NtCallbackReturn  (0, 0, 0, ...
 00360   748   NtGdiInit  (... ) == 0x1
 00361   748   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00362   748   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00363   748   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00364   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00365   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\271\324~w\177\17\271\311\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00366   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00367   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00368   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00369   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00370   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00371   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00372   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00373   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00374   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\303:c\316\200\303d\336V\20Q\2540Bd\263\336Y\251{\13\323\302\24549\207\32d\242\334\322`\321d]\351\236\373C\221\263\377\3440\331\366O\243g.\354\264\204AZ\344v,\364\337\33s\251\301\5\265\362\3172V51p\32\16\301\247\267\265", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\303:c\316\200\303d\336V\20Q\2540Bd\263\336Y\251{\13\323\302\24549\207\32d\242\334\322`\321d]\351\236\373C\221\263\377\3440\331\366O\243g.\354\264\204AZ\344v,\364\337\33s\251\301\5\265\362\3172V51p\32\16\301\247\267\265", 80, ... ) , 80, ... ) == 0x0
 00375   748   NtClose  (-2147482740, ... ) == 0x0
 00365   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\304\59A\301;\30\232\310ZTn\325\223o\360\177\34=M\233\206\\311:\256\251\301\254$\327(\214!\240DG\230\327M\377\203\17\214'A\342eE\255#\23\222\321\202\337\36\206\273\17\207\274\6\2706\242U\201\263\340\367\322L\263\227NE\276\327\311\344\352\210\333\11V\323\363\351\235\235\315[\253\371\343\213hn|B\347w\25u\335\2F/\204\332\215\316's\363Q\14\260\344b\233\362\316z\14S\321\36k\21f\211\315##\216\337\327\227\23\375\253\25q\242\317u%\17~-\355\347\22%\13Z\212\362$l\257>\223\251^2\2\316\357X3\205\260\234f1\217\12b\373\203\222\246Q"'"\3345]\13\242\14w\373+\377\27X\32\23t\357\311y'\252\2727x9\355\372\301\327kz"Z)\227\25q\335\317\337\332Th`\336\263\226\356H\235\26Yc),\3117\370\363\320\207\25\321\230\36X\222_", ) ' ... {status=0x0, info=256}, "\304\59A\301;\30\232\310ZTn\325\223o\360\177\34=M\233\206\\311:\256\251\301\254$\327(\214!\240DG\230\327M\377\203\17\214'A\342eE\255#\23\222\321\202\337\36\206\273\17\207\274\6\2706\242U\201\263\340\367\322L\263\227NE\276\327\311\344\352\210\333\11V\323\363\351\235\235\315[\253\371\343\213hn|B\347w\25u\335\2F/\204\332\215\316's\363Q\14\260\344b\233\362\316z\14S\321\36k\21f\211\315##\216\337\327\227\23\375\253\25q\242\317u%\17~-\355\347\22%\13Z\212\362$l\257>\223\251^2\2\316\357X3\205\260\234f1\217\12b\373\203\222\246Q"'"\3345]\13\242\14w\373+\377\27X\32\23t\357\311y'\252\2727x9\355\372\301\327kz"Z)\227\25q\335\317\337\332Th`\336\263\226\356H\235\26Yc),\3117\370\363\320\207\25\321\230\36X\222_", ) Z)\227\25q\335\317\337\332Th`\336\263\226\356H\235\26Yc),\3117\370\363\320\207\25\321\230\36X\222_", ) == 0x0
 00376   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00377   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00378   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00379   748   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00380   748   NtClose  (48, ... ) == 0x0
 00381   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00382   748   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   748   NtClose  (48, ... ) == 0x0
 00384   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00385   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00386   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00387   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00388   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00389   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   748   NtClose  (48, ... ) == 0x0
 00393   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00394   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00396   748   NtClose  (48, ... ) == 0x0
 00397   748   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00398   748   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   748   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00400   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   748   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   748   NtTestAlert  (... ) == 0x0
 00404   748   NtContinue  (1244464, 1, ...
 00405   748   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00406   748   NtAllocateVirtualMemory  (-1, 0, 0, 278528, 4096, 64, ... 3538944, 278528, ) == 0x0
 00407   748   NtAllocateVirtualMemory  (-1, 0, 0, 278528, 4096, 64, ... 3866624, 278528, ) == 0x0
 00408   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 278528, ) == 0x0
 00409   748   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3538944, 4096, ) == 0x0
 00410   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00411   748   NtAllocateVirtualMemory  (-1, 0, 0, 208384, 4096, 4, ... 3538944, 208896, ) == 0x0
 00412   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 208896, ) == 0x0
 00413   748   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3538944, 4096, ) == 0x0
 00414   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00415   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00416   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00417   748   NtAllocateVirtualMemory  (-1, 0, 0, 10752, 4096, 4, ... 3538944, 12288, ) == 0x0
 00418   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 12288, ) == 0x0
 00419   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00420   748   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00421   748   NtClose  (52, ... ) == 0x0
 00422   748   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00423   748   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00424   748   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00425   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00426   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00427   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00428   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == 0x0
 00429   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00430   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00431   748   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00432   748   NtClose  (52, ... ) == 0x0
 00433   748   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00434   748   NtClose  (56, ... ) == 0x0
 00435   748   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00436   748   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00437   748   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00438   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   748   NtQueryPerformanceCounter  (... {924406315, 10}, {3579545, 0}, ) == 0x0
 00440   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00441   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00442   748   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00443   748   NtClose  (56, ... ) == 0x0
 00444   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00445   748   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00446   748   NtOpenKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   748   NtOpenKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   748   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00449   748   NtQueryInformationToken  (52, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00450   748   NtClose  (52, ... ) == 0x0
 00451   748   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00452   748   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00453   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9961472, 1048576, ) == 0x0
 00454   748   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00455   748   NtAllocateVirtualMemory  (-1, 9961472, 0, 16384, 4096, 4, ... 9961472, 16384, ) == 0x0
 00456   748   NtUserCallNoParam  (29, ...
 00457   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 00458   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00459   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00460   748   NtClose  (52, ... ) == 0x0
 00461   748   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 221184, ) == 0x0
 00462   748   NtClose  (60, ... ) == 0x0
 00463   748   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00464   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242532, ... ) }, 1242532, ... ) == 0x0
 00465   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00466   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00467   748   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00468   748   NtClose  (60, ... ) == 0x0
 00469   748   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00470   748   NtClose  (52, ... ) == 0x0
 00471   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00472   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00473   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00474   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00475   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00476   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00477   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00478   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00479   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00480   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00481   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00482   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00483   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00484   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00485   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00486   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00487   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00488   748   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00489   748   NtClose  (52, ... ) == 0x0
 00490   748   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00491   748   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00492   748   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   748   NtClose  (60, ... ) == 0x0
 00494   748   NtClose  (52, ... ) == 0x0
 00495   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00496   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00497   748   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00498   748   NtClose  (52, ... ) == 0x0
 00499   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00500   748   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00501   748   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00502   748   NtClose  (60, ... ) == 0x0
 00503   748   NtClose  (52, ... ) == 0x0
 00504   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 00505   748   NtUserGetObjectInformation  (28, 2, 1244320, 64, 1244316, ... ) == 0x1
 00506   748   NtUserGetGUIThreadInfo  (748, 1244340, ... ) == 0x1
 00507   748   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 52, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 52, 0x0, 0x0, 0x0, 64, ) == 0x0
 00508   748   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 484, 748, 57969, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00509   748   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57970, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 484, 748, 57970, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57970, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00510   748   NtUserCallNoParam  (29, ...
 00511   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 00510   748   NtUserCallNoParam  ... ) == 0x0
 00512   748   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00513   748   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333048, ... ) == 0x330a04e1
 00514   748   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333040, ... ) == 0x520a0634
 00515   748   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57971, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 484, 748, 57971, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57971, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00516   748   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 327680, ) == 0x0
 00517   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00518   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00519   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00520   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00521   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00522   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00523   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00524   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00525   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00526   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00527   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00528   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00529   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00530   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00531   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00532   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00533   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00534   748   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00535   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00536   748   NtUserCallNoParam  (29, ...
 00537   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241020, ... ) }, 1241020, ... ) == 0x0
 00536   748   NtUserCallNoParam  ... ) == 0x0
 00538   748   NtUserCallNoParam  (29, ...
 00539   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00538   748   NtUserCallNoParam  ... ) == 0x0
 00456   748   NtUserCallNoParam  ... ) == 0x1
 00540   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00541   748   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00542   748   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00543   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00544   748   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Protocol_Catalog9"}, ... 72, ) }, ... 72, ) == 0x0
 00545   748   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00546   748   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00547   748   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00548   748   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   748   NtQueryValueKey  (72,  (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00550   748   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551   748   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00552   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00553   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00554   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00555   748   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00556   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0-\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0-\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0.\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0-\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0-\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0.\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0-\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0-\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0.\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0/\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00557   748   NtClose  (80, ... ) == 0x0
 00558   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00559   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00560   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00561   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\02\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\02\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\03\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\02\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\02\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\03\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\02\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\02\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\03\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\04\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00562   748   NtClose  (80, ... ) == 0x0
 00563   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00564   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00565   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00566   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\07\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\07\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\08\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\07\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\07\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\08\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\07\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\07\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\08\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\09\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00567   748   NtClose  (80, ... ) == 0x0
 00568   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000004"}, ... 80, ) }, ... 80, ) == 0x0
 00569   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00570   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00571   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0<\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0=\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0<\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0=\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0<\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0=\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00572   748   NtClose  (80, ... ) == 0x0
 00573   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000005"}, ... 80, ) }, ... 80, ) == 0x0
 00574   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00575   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00576   748   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00577   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0B\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0C\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0B\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0C\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0B\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0C\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0D\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00578   748   NtClose  (80, ... ) == 0x0
 00579   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000006"}, ... 80, ) }, ... 80, ) == 0x0
 00580   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00581   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00582   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0G\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0H\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0G\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0H\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0G\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0H\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0I\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00583   748   NtClose  (80, ... ) == 0x0
 00584   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000007"}, ... 80, ) }, ... 80, ) == 0x0
 00585   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00586   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00587   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0L\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0M\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0L\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0M\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0L\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0M\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0N\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00588   748   NtClose  (80, ... ) == 0x0
 00589   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000008"}, ... 80, ) }, ... 80, ) == 0x0
 00590   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00591   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00592   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0R\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0R\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0R\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0S\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00593   748   NtClose  (80, ... ) == 0x0
 00594   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000009"}, ... 80, ) }, ... 80, ) == 0x0
 00595   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00596   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00597   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0V\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0W\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0V\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0W\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0V\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0W\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0X\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00598   748   NtClose  (80, ... ) == 0x0
 00599   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000010"}, ... 80, ) }, ... 80, ) == 0x0
 00600   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00601   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00602   748   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00603   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0]\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0]\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0]\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00604   748   NtClose  (80, ... ) == 0x0
 00605   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000011"}, ... 80, ) }, ... 80, ) == 0x0
 00606   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00607   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00608   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0a\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0b\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0a\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0b\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0a\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0b\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0c\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00609   748   NtClose  (80, ... ) == 0x0
 00610   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000012"}, ... 80, ) }, ... 80, ) == 0x0
 00611   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00612   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00613   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0f\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0g\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0f\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0g\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0f\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0g\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0h\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00614   748   NtClose  (80, ... ) == 0x0
 00615   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000013"}, ... 80, ) }, ... 80, ) == 0x0
 00616   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00617   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00618   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0k\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0l\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0k\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0l\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0k\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0l\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0m\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00619   748   NtClose  (80, ... ) == 0x0
 00620   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000014"}, ... 80, ) }, ... 80, ) == 0x0
 00621   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00622   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00623   748   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00624   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0r\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0r\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0r\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00625   748   NtClose  (80, ... ) == 0x0
 00626   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000015"}, ... 80, ) }, ... 80, ) == 0x0
 00627   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00628   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00629   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0v\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0w\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0v\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0w\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0v\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0w\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00630   748   NtClose  (80, ... ) == 0x0
 00631   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000016"}, ... 80, ) }, ... 80, ) == 0x0
 00632   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00633   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00634   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0{\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0|\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0{\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0|\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0{\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0|\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00635   748   NtClose  (80, ... ) == 0x0
 00636   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000017"}, ... 80, ) }, ... 80, ) == 0x0
 00637   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00638   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00639   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\200\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\201\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\200\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\201\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\200\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\201\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00640   748   NtClose  (80, ... ) == 0x0
 00641   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000018"}, ... 80, ) }, ... 80, ) == 0x0
 00642   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00643   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00644   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\205\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\206\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\205\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\206\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\205\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\206\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00645   748   NtClose  (80, ... ) == 0x0
 00646   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000019"}, ... 80, ) }, ... 80, ) == 0x0
 00647   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00648   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00649   748   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00650   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\213\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\214\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\213\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\214\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\213\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\214\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00651   748   NtClose  (80, ... ) == 0x0
 00652   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000020"}, ... 80, ) }, ... 80, ) == 0x0
 00653   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00654   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00655   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\220\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\221\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\220\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\221\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\220\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\221\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\222\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00656   748   NtClose  (80, ... ) == 0x0
 00657   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000021"}, ... 80, ) }, ... 80, ) == 0x0
 00658   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00659   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00660   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\225\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\226\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\225\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\226\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\225\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\226\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00661   748   NtClose  (80, ... ) == 0x0
 00662   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000022"}, ... 80, ) }, ... 80, ) == 0x0
 00663   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00664   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00665   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\232\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\232\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\232\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00666   748   NtClose  (80, ... ) == 0x0
 00667   748   NtClose  (76, ... ) == 0x0
 00668   748   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00669   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00670   748   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 80, ) }, ... 80, ) == 0x0
 00671   748   NtQueryValueKey  (80,  (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00672   748   NtNotifyChangeKey  (80, 76, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00673   748   NtQueryValueKey  (80,  (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00674   748   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   748   NtQueryValueKey  (80,  (80, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00676   748   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Catalog_Entries"}, ... 84, ) }, ... 84, ) == 0x0
 00677   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000001"}, ... 88, ) }, ... 88, ) == 0x0
 00678   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00679   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00680   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00681   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00682   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00683   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00684   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00685   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00687   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00688   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00689   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00690   748   NtClose  (88, ... ) == 0x0
 00691   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000002"}, ... 88, ) }, ... 88, ) == 0x0
 00692   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00693   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00694   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00695   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00696   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00697   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00698   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00699   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00701   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00702   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00703   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00704   748   NtClose  (88, ... ) == 0x0
 00705   748   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00706   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000003"}, ... 88, ) }, ... 88, ) == 0x0
 00707   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00708   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00709   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00710   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00711   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00712   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00713   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00714   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00715   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00716   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00717   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00718   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00719   748   NtClose  (88, ... ) == 0x0
 00720   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000004"}, ... 88, ) }, ... 88, ) == 0x0
 00721   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00722   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00723   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00724   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00725   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00726   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00727   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00728   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00730   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00731   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00732   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00733   748   NtClose  (88, ... ) == 0x0
 00734   748   NtClose  (84, ... ) == 0x0
 00735   748   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x102
 00736   748   NtClose  (64, ... ) == 0x0
 00737   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00738   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00739   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00740   748   NtQueryValueKey  (64,  (64, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741   748   NtClose  (64, ... ) == 0x0
 00742   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 64, ) == 0x0
 00743   748   NtAllocateVirtualMemory  (-1, 9977856, 0, 81920, 4096, 4, ... 9977856, 81920, ) == 0x0
 00744   748   NtLockVirtualMemory  (-1, (0x980440), 65536, 1, ... (0x980000), 69632, ) == 0x0
 00745   748   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 84, ) == 0x0
 00746   748   NtQueryVirtualMemory  (-1, 0x3df666, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00747   748   NtContinue  (1244328, 0, ...
 00748   748   NtFreeVirtualMemory  (-1, (0x994000), 16384, 16384, ... (0x994000), 16384, ) == 0x0
 00749   748   NtQueryVirtualMemory  (-1, 0x3deb09, Basic, 28, ... {BaseAddress=0x3de000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x16000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00750   748   NtContinue  (1244016, 0, ...
 00751   748   NtAllocateVirtualMemory  (-1, 10043392, 0, 32768, 4096, 4, ... 10043392, 32768, ) == 0x0
 00752   748   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 11010048, 4096, ) == 0x0
 00753   748   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 11075584, 4096, ) == 0x0
 00754   748   NtAllocateVirtualMemory  (-1, 0, 0, 37, 4096, 64, ... 11141120, 4096, ) == 0x0
 00755   748   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 11206656, 4096, ) == 0x0
 00756   748   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 11272192, 4096, ) == 0x0
 00757   748   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 11337728, 4096, ) == 0x0
 00758   748   NtAllocateVirtualMemory  (-1, 0, 0, 30, 4096, 64, ... 11403264, 4096, ) == 0x0
 00759   748   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 11468800, 4096, ) == 0x0
 00760   748   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 11534336, 4096, ) == 0x0
 00761   748   NtAllocateVirtualMemory  (-1, 0, 0, 21, 4096, 64, ... 11599872, 4096, ) == 0x0
 00762   748   NtAllocateVirtualMemory  (-1, 0, 0, 41, 4096, 64, ... 11665408, 4096, ) == 0x0
 00763   748   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 11730944, 4096, ) == 0x0
 00764   748   NtAllocateVirtualMemory  (-1, 0, 0, 31, 4096, 64, ... 11796480, 4096, ) == 0x0
 00765   748   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 11862016, 4096, ) == 0x0
 00766   748   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 11927552, 4096, ) == 0x0
 00767   748   NtAllocateVirtualMemory  (-1, 0, 0, 26, 4096, 64, ... 11993088, 4096, ) == 0x0
 00768   748   NtAllocateVirtualMemory  (-1, 0, 0, 318, 4096, 64, ... 12058624, 4096, ) == 0x0
 00769   748   NtQueryVirtualMemory  (-1, 0x3ded53, Basic, 28, ... {BaseAddress=0x3de000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x16000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00770   748   NtContinue  (1244016, 0, ...
 00771   748   NtFreeVirtualMemory  (-1, (0x994000), 32768, 16384, ... (0x994000), 32768, ) == 0x0
 00772   748   NtQueryVirtualMemory  (-1, 0x3df23a, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00773   748   NtContinue  (1244016, 0, ...
 00774   748   NtAllocateVirtualMemory  (-1, 10043392, 0, 32768, 4096, 4, ... 10043392, 32768, ) == 0x0
 00775   748   NtQueryVirtualMemory  (-1, 0x3c4409, Basic, 28, ... {BaseAddress=0x3c4000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x30000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00776   748   NtQueryVirtualMemory  (-1, 0x3df60e, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00777   748   NtQueryVirtualMemory  (-1, 0x3df854, Basic, 28, ... {BaseAddress=0x3df000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x15000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 00778   748   NtContinue  (1242888, 0, ...
 00779   748   NtUserFindExistingCursorIcon  (1242844, 1242860, 1242908, ... ) == 0x10015
 00780   748   NtUserSetCursor  (65557, ... ) == 0x10015
 00781   748   NtGdiCreateCompatibleDC  (0, ... ) == 0x6e0106ed
 00782   748   NtGdiGetTextCharsetInfo  (1845561069, 0, 0, ... ) == 0x0
 00783   748   NtGdiHfontCreate  (1242600, 356, 0, 0, 1333032, ... ) == 0x3c0a056c
 00784   748   NtGdiGetTextMetricsW  (1845561069, 1242916, 68, ... ) == 0x1
 00785   748   NtGdiGetTextFaceW  (1845561069, 32, 1243224, 1, ... ) == 0xe
 00786   748   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00787   748   NtGdiGetWidthTable  (1845561069, 52, 1367776, 308, 1368392, 1367144, 1367160, ... ) == 0x1
 00788   748   NtGdiDeleteObjectApp  (1845561069, ... ) == 0x1
 00789   748   NtUserGetForegroundWindow  (... ) == 0x70104
 00790   748   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00791   748   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 00792   748   NtUserGetAtomName  (32770, 1242104, ... ) == 0x6
 00793   748   NtUserCreateWindowEx  (-2147417855, 32770, 32770,  (-2147417855, 32770, 32770, " ", 13240516, 284, 271, 456, 195, 0, 0, 0, 0, 1073742848, 0, ... , 13240516, 284, 271, 456, 195, 0, 0, 0, 0, 1073742848, 0, ...
 00794   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1239580, ... ) }, 1239580, ... ) == 0x0
 00795   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00796   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 92, ) == 0x0
 00797   748   NtClose  (88, ... ) == 0x0
 00798   748   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 294912, ) == 0x0
 00799   748   NtClose  (92, ... ) == 0x0
 00800   748   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 00801   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1239888, ... ) }, 1239888, ... ) == 0x0
 00802   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00803   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00804   748   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00805   748   NtClose  (92, ... ) == 0x0
 00806   748   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0
 00807   748   NtClose  (88, ... ) == 0x0
 00808   748   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00809   748   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00810   748   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00811   748   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00812   748   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00813   748   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00814   748   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00815   748   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00816   748   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00817   748   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00818   748   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00819   748   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00820   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1237244, ... ) }, 1237244, ... ) == 0x0
 00822   748   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00823   748   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00824   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1
 00825   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2
 00826   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3
 00827   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadItemChange", ... ) , ... ) == 0xc0a4
 00828   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5
 00829   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6
 00830   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7
 00831   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.CheckThreadInputIdel", ... ) , ... ) == 0xc0a8
 00832   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9
 00833   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ShowFloating", ... ) , ... ) == 0xc0aa
 00834   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab
 00835   748   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac
 00836   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 1237252, ... ) }, 1237252, ... ) == 0x0
 00837   748   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3998, 1239644, 0, 0}  (24, {24, 52, new_msg, 0, 3998, 1239644, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\354\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 484, 748, 57974, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\354\2\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 484, 748, 57974, 0}  (24, {24, 52, new_msg, 0, 3998, 1239644, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\354\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 484, 748, 57974, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\354\2\0\0\0\0\0\0" )  ) == 0x0
 00838   748   NtUserGetThreadDesktop  (748, 0, ... ) == 0x24
 00839   748   NtUserGetObjectInformation  (36, 2, 1318544, 520, 1239552, ... ) == 0x1
 00840   748   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00841   748   NtQueryInformationToken  (88, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00842   748   NtQueryInformationToken  (88, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 00843   748   NtClose  (88, ... ) == 0x0
 00844   748   NtCreateSection  (0xf0007, {24, 48, 0x80, 0, 0,  (0xf0007, {24, 48, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 88, ) }, {3240, 0}, 4, 134217728, 0, ... 88, ) == STATUS_OBJECT_NAME_EXISTS
 00845   748   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xb90000), {0, 0}, 4096, ) == 0x0
 00846   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 92, ) }, ... 92, ) == 0x0
 00848   748   NtQueryValueKey  (92,  (92, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00849   748   NtClose  (92, ... ) == 0x0
 00850   748   NtUserFindExistingCursorIcon  (1239084, 1239100, 1239148, ... ) == 0x10011
 00851   748   NtUserRegisterClassExWOW  (1239356, 1239452, 1239436, 1239424, 0, 386, 0, ... ) == 0x8178c0ad
 00852   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 92, ) }, 0, ... 92, ) == STATUS_OBJECT_NAME_EXISTS
 00853   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 96, ) }, 0, ... 96, ) == STATUS_OBJECT_NAME_EXISTS
 00854   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 100, ) }, 0, ... 100, ) == STATUS_OBJECT_NAME_EXISTS
 00855   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 104, ) }, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 00856   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 108, ) }, 0, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00857   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 112, ) }, ... 112, ) == 0x0
 00858   748   NtQueryValueKey  (112,  (112, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   748   NtQueryValueKey  (112,  (112, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   748   NtQueryValueKey  (112,  (112, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   748   NtClose  (112, ... ) == 0x0
 00862   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 1237072, ... ) }, 1237072, ... ) == 0x0
 00863   748   NtQueryDefaultUILanguage  (1239632, ...
 00864   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00865   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00866   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00867   748   NtClose  (-2147482740, ... ) == 0x0
 00868   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00869   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00871   748   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   748   NtClose  (-2147481328, ... ) == 0x0
 00873   748   NtClose  (-2147482740, ... ) == 0x0
 00863   748   NtQueryDefaultUILanguage  ... ) == 0x0
 00874   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... 112, ) }, ... 112, ) == 0x0
 00875   748   NtQueryValueKey  (112,  (112, "EnableAnchorContext", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   748   NtClose  (112, ... ) == 0x0
 00877   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 112, ) }, 0, ... 112, ) == STATUS_OBJECT_NAME_EXISTS
 00878   748   NtOpenSection  (0xf001f, {24, 48, 0x0, 0, 0,  (0xf001f, {24, 48, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 116, ) }, ... 116, ) == 0x0
 00879   748   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xba0000), {0, 0}, 262144, ) == 0x0
 00880   748   NtWaitForSingleObject  (112, 0, {-50000000, -1}, ... ) == 0x0
 00881   748   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00882   748   NtWaitForSingleObject  (112, 0, {-50000000, -1}, ... ) == 0x0
 00883   748   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00884   748   NtWaitForSingleObject  (112, 0, {-50000000, -1}, ... ) == 0x0
 00885   748   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00886   748   NtUserSetWindowsHookEx  (1953628160, 1241116, 748, 2, 1953694283, 2, ... ) == 0x601df
 00887   748   NtUserSetWindowsHookEx  (1953628160, 1241116, 748, 7, 1953693577, 2, ... ) == 0x18022f
 00888   748   NtUserSetWindowFNID  (655618, 676, ... ) == 0x1
 00889   748   NtUserCallHwndParam  (655618, 1369820, 79, ... ) == 0x14e6dc
 00890   748   NtUserMessageCall  (0xa0102, WM_NCCREATE, 0x0, 0x12f39c, 0, 670, 1, ... ) == 0x1
 00891   748   NtUserSetWindowFNID  (590100, 681, ... ) == 0x1
 00892   748   NtUserSetWindowLong  (590100, 0, 1368704, 0, ... ) == 0x0
 00893   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 120, ) }, ... 120, ) == 0x0
 00894   748   NtQueryValueKey  (120,  (120, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (120, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 00895   748   NtClose  (120, ... ) == 0x0
 00896   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00897   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00898   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238372, ... ) }, 1238372, ... ) == 0x0
 00899   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00900   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00901   748   NtClose  (120, ... ) == 0x0
 00902   748   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbe0000), 0x0, 180224, ) == 0x0
 00903   748   NtClose  (124, ... ) == 0x0
 00904   748   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00905   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237968, ... ) }, 1237968, ... ) == 0x0
 00906   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238712,  (0x80100080, {24, 0, 0x40, 0, 1238712, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00907   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 124, ... 120, ) == 0x0
 00908   748   NtClose  (124, ... ) == 0x0
 00909   748   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbe0000), {0, 0}, 180224, ) == 0x0
 00910   748   NtClose  (120, ... ) == 0x0
 00911   748   NtQueryDefaultUILanguage  (2090319928, ...
 00912   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00913   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00914   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00915   748   NtClose  (-2147482740, ... ) == 0x0
 00916   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00917   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00919   748   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   748   NtClose  (-2147481328, ... ) == 0x0
 00921   748   NtClose  (-2147482740, ... ) == 0x0
 00911   748   NtQueryDefaultUILanguage  ... ) == 0x0
 00922   748   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00923   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00924   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00925   748   NtQueryDefaultLocale  (1, 1239332, ... ) == 0x0
 00926   748   NtQueryVirtualMemory  (-1, 0xbe0000, Basic, 28, ... {BaseAddress=0xbe0000,AllocationBase=0xbe0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00927   748   NtQueryVirtualMemory  (-1, 0xbe0000, Basic, 28, ... {BaseAddress=0xbe0000,AllocationBase=0xbe0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00928   748   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00929   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00930   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00931   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238364, ... ) }, 1238364, ... ) == 0x0
 00932   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00933   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00934   748   NtClose  (120, ... ) == 0x0
 00935   748   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbe0000), 0x0, 180224, ) == 0x0
 00936   748   NtClose  (124, ... ) == 0x0
 00937   748   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00938   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237960, ... ) }, 1237960, ... ) == 0x0
 00939   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238704,  (0x80100080, {24, 0, 0x40, 0, 1238704, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00940   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 124, ... 120, ) == 0x0
 00941   748   NtClose  (124, ... ) == 0x0
 00942   748   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbe0000), {0, 0}, 180224, ) == 0x0
 00943   748   NtClose  (120, ... ) == 0x0
 00944   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00945   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00946   748   NtQueryDefaultLocale  (1, 1239324, ... ) == 0x0
 00947   748   NtQueryVirtualMemory  (-1, 0xbe0000, Basic, 28, ... {BaseAddress=0xbe0000,AllocationBase=0xbe0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00948   748   NtUnmapViewOfSection  (-1, 0xbe0000, ... ) == 0x0
 00949   748   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 120, ) }, ... 120, ) == 0x0
 00950   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 00951   748   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 124, ) }, ... 124, ) == 0x0
 00952   748   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xbe0000), {0, 0}, 57344, ) == 0x0
 00953   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00954   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00955   748   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00956   748   NtClose  (128, ... ) == 0x0
 00957   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00959   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238344, ... ) }, 1238344, ... ) == 0x0
 00960   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00961   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 00962   748   NtClose  (128, ... ) == 0x0
 00963   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 00964   748   NtClose  (132, ... ) == 0x0
 00965   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 00966   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 00967   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00968   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00969   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00970   748   NtClose  (132, ... ) == 0x0
 00971   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 00972   748   NtClose  (128, ... ) == 0x0
 00973   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00974   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00975   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00976   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00977   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00978   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00979   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00980   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00981   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00982   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00983   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00984   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00985   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00986   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00987   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00988   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00989   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00990   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00991   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   748   NtUserGetDC  (0, ... ) == 0x1010052
 00993   748   NtUserSystemParametersInfo  (66, 12, 1238840, 0, ... ) == 0x1
 00994   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00995   748   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00996   748   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00997   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00998   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00999   748   NtContinue  (1237044, 0, ...
 01000   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01001   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01002   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01003   748   NtUserMessageCall  (0x90114, WM_NCCREATE, 0x0, 0x12f388, 0, 670, 0, ... ) == 0x1
 01004   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01005   748   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01006   748   NtClose  (128, ... ) == 0x0
 01007   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01008   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01009   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238468, ... ) }, 1238468, ... ) == 0x0
 01010   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01011   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01012   748   NtClose  (128, ... ) == 0x0
 01013   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01014   748   NtClose  (132, ... ) == 0x0
 01015   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01016   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238064, ... ) }, 1238064, ... ) == 0x0
 01017   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238808,  (0x80100080, {24, 0, 0x40, 0, 1238808, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01018   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01019   748   NtClose  (132, ... ) == 0x0
 01020   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01021   748   NtClose  (128, ... ) == 0x0
 01022   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01023   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01024   748   NtQueryDefaultLocale  (1, 1239428, ... ) == 0x0
 01025   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01026   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01027   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01028   748   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01029   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01030   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01031   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238460, ... ) }, 1238460, ... ) == 0x0
 01032   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01033   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01034   748   NtClose  (128, ... ) == 0x0
 01035   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01036   748   NtClose  (132, ... ) == 0x0
 01037   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01038   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238056, ... ) }, 1238056, ... ) == 0x0
 01039   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238800,  (0x80100080, {24, 0, 0x40, 0, 1238800, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01040   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01041   748   NtClose  (132, ... ) == 0x0
 01042   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01043   748   NtClose  (128, ... ) == 0x0
 01044   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01045   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01046   748   NtQueryDefaultLocale  (1, 1239420, ... ) == 0x0
 01047   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01048   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01049   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01050   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01051   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01052   748   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01053   748   NtClose  (128, ... ) == 0x0
 01054   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01056   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238440, ... ) }, 1238440, ... ) == 0x0
 01057   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01058   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01059   748   NtClose  (128, ... ) == 0x0
 01060   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01061   748   NtClose  (132, ... ) == 0x0
 01062   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01063   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238748, ... ) }, 1238748, ... ) == 0x0
 01064   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01065   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01066   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01067   748   NtClose  (132, ... ) == 0x0
 01068   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01069   748   NtClose  (128, ... ) == 0x0
 01070   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01071   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01072   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01073   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01074   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01075   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01076   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01077   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01078   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01079   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01080   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01081   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01082   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01083   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01084   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01085   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01086   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01087   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01088   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   748   NtUserGetDC  (0, ... ) == 0x1010052
 01090   748   NtUserSystemParametersInfo  (66, 12, 1238936, 0, ... ) == 0x1
 01091   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01092   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01093   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01094   748   NtContinue  (1237140, 0, ...
 01095   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01096   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01097   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01098   748   NtUserMessageCall  (0x90114, WM_NCCALCSIZE, 0x0, 0x12f3cc, 0, 670, 0, ... ) == 0x0
 01099   748   NtUserSetProp  (590100, 43288, -1, ... ) == 0x1
 01100   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01101   748   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01102   748   NtClose  (128, ... ) == 0x0
 01103   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01104   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01105   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238372, ... ) }, 1238372, ... ) == 0x0
 01106   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01107   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01108   748   NtClose  (128, ... ) == 0x0
 01109   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01110   748   NtClose  (132, ... ) == 0x0
 01111   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01112   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237968, ... ) }, 1237968, ... ) == 0x0
 01113   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238712,  (0x80100080, {24, 0, 0x40, 0, 1238712, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01114   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01115   748   NtClose  (132, ... ) == 0x0
 01116   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01117   748   NtClose  (128, ... ) == 0x0
 01118   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01119   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01120   748   NtQueryDefaultLocale  (1, 1239332, ... ) == 0x0
 01121   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01122   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01123   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01124   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01125   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01126   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238364, ... ) }, 1238364, ... ) == 0x0
 01127   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01128   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01129   748   NtClose  (128, ... ) == 0x0
 01130   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01131   748   NtClose  (132, ... ) == 0x0
 01132   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01133   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237960, ... ) }, 1237960, ... ) == 0x0
 01134   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238704,  (0x80100080, {24, 0, 0x40, 0, 1238704, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01135   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01136   748   NtClose  (132, ... ) == 0x0
 01137   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01138   748   NtClose  (128, ... ) == 0x0
 01139   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01140   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01141   748   NtQueryDefaultLocale  (1, 1239324, ... ) == 0x0
 01142   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01143   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01144   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01145   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01146   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01147   748   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01148   748   NtClose  (128, ... ) == 0x0
 01149   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01151   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238344, ... ) }, 1238344, ... ) == 0x0
 01152   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01153   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01154   748   NtClose  (128, ... ) == 0x0
 01155   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01156   748   NtClose  (132, ... ) == 0x0
 01157   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01158   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 01159   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01160   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01161   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01162   748   NtClose  (132, ... ) == 0x0
 01163   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01164   748   NtClose  (128, ... ) == 0x0
 01165   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01166   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01167   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01168   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01169   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01170   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01171   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01172   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01173   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01174   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01175   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01176   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01177   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01178   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01179   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01180   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01181   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01182   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01183   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   748   NtUserGetDC  (0, ... ) == 0x1010052
 01185   748   NtUserSystemParametersInfo  (66, 12, 1238840, 0, ... ) == 0x1
 01186   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01187   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01188   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01189   748   NtContinue  (1237044, 0, ...
 01190   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01191   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01192   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01193   748   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01194   748   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 01195   748   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 01196   748   NtUserUpdateInputContext  (7536899, 1, 590100, ... ) == 0x1
 01197   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01198   748   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01199   748   NtClose  (128, ... ) == 0x0
 01200   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01201   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01202   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238480, ... ) }, 1238480, ... ) == 0x0
 01203   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01204   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01205   748   NtClose  (128, ... ) == 0x0
 01206   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01207   748   NtClose  (132, ... ) == 0x0
 01208   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01209   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 01210   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238820,  (0x80100080, {24, 0, 0x40, 0, 1238820, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01211   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01212   748   NtClose  (132, ... ) == 0x0
 01213   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01214   748   NtClose  (128, ... ) == 0x0
 01215   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01216   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01217   748   NtQueryDefaultLocale  (1, 1239440, ... ) == 0x0
 01218   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01219   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01220   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01221   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01222   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01223   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238472, ... ) }, 1238472, ... ) == 0x0
 01224   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01225   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01226   748   NtClose  (128, ... ) == 0x0
 01227   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01228   748   NtClose  (132, ... ) == 0x0
 01229   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01230   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01231   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238812,  (0x80100080, {24, 0, 0x40, 0, 1238812, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01232   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01233   748   NtClose  (132, ... ) == 0x0
 01234   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01235   748   NtClose  (128, ... ) == 0x0
 01236   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01237   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01238   748   NtQueryDefaultLocale  (1, 1239432, ... ) == 0x0
 01239   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01240   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01241   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01242   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01243   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01244   748   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01245   748   NtClose  (128, ... ) == 0x0
 01246   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01248   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01249   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01250   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01251   748   NtClose  (128, ... ) == 0x0
 01252   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01253   748   NtClose  (132, ... ) == 0x0
 01254   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01255   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238760, ... ) }, 1238760, ... ) == 0x0
 01256   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01257   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01258   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01259   748   NtClose  (132, ... ) == 0x0
 01260   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01261   748   NtClose  (128, ... ) == 0x0
 01262   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01263   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01264   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01265   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01266   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01267   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01268   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01269   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01270   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01271   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01272   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01273   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01274   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01275   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01276   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01277   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01278   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01279   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01280   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   748   NtUserGetDC  (0, ... ) == 0x1010052
 01282   748   NtUserSystemParametersInfo  (66, 12, 1238948, 0, ... ) == 0x1
 01283   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01284   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01285   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01286   748   NtContinue  (1237152, 0, ...
 01287   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01288   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01289   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01290   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01291   748   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01292   748   NtClose  (128, ... ) == 0x0
 01293   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01294   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01295   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238480, ... ) }, 1238480, ... ) == 0x0
 01296   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01297   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01298   748   NtClose  (128, ... ) == 0x0
 01299   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01300   748   NtClose  (132, ... ) == 0x0
 01301   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01302   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 01303   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238820,  (0x80100080, {24, 0, 0x40, 0, 1238820, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01304   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01305   748   NtClose  (132, ... ) == 0x0
 01306   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01307   748   NtClose  (128, ... ) == 0x0
 01308   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01309   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01310   748   NtQueryDefaultLocale  (1, 1239440, ... ) == 0x0
 01311   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01312   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01313   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01314   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01315   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01316   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238472, ... ) }, 1238472, ... ) == 0x0
 01317   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01318   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01319   748   NtClose  (128, ... ) == 0x0
 01320   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01321   748   NtClose  (132, ... ) == 0x0
 01322   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01323   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01324   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238812,  (0x80100080, {24, 0, 0x40, 0, 1238812, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01325   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01326   748   NtClose  (132, ... ) == 0x0
 01327   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01328   748   NtClose  (128, ... ) == 0x0
 01329   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01330   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01331   748   NtQueryDefaultLocale  (1, 1239432, ... ) == 0x0
 01332   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01333   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01334   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01335   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01336   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01337   748   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01338   748   NtClose  (128, ... ) == 0x0
 01339   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01340   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01341   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01342   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01343   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01344   748   NtClose  (128, ... ) == 0x0
 01345   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01346   748   NtClose  (132, ... ) == 0x0
 01347   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01348   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238760, ... ) }, 1238760, ... ) == 0x0
 01349   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01350   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01351   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01352   748   NtClose  (132, ... ) == 0x0
 01353   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01354   748   NtClose  (128, ... ) == 0x0
 01355   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01356   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01357   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01358   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01359   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01360   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01361   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01362   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01363   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01364   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01365   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01366   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01367   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01368   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01369   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01370   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01371   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01372   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01373   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   748   NtUserGetDC  (0, ... ) == 0x1010052
 01375   748   NtUserSystemParametersInfo  (66, 12, 1238948, 0, ... ) == 0x1
 01376   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01377   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01378   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01379   748   NtContinue  (1237152, 0, ...
 01380   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01381   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01382   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01383   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 128, ) }, ... 128, ) == 0x0
 01384   748   NtQueryValueKey  (128,  (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 01385   748   NtClose  (128, ... ) == 0x0
 01386   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01387   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01388   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238480, ... ) }, 1238480, ... ) == 0x0
 01389   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01390   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01391   748   NtClose  (128, ... ) == 0x0
 01392   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01393   748   NtClose  (132, ... ) == 0x0
 01394   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01395   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 01396   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238820,  (0x80100080, {24, 0, 0x40, 0, 1238820, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01397   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01398   748   NtClose  (132, ... ) == 0x0
 01399   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01400   748   NtClose  (128, ... ) == 0x0
 01401   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01402   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01403   748   NtQueryDefaultLocale  (1, 1239440, ... ) == 0x0
 01404   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01405   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01406   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01407   748   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01408   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01409   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01410   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238472, ... ) }, 1238472, ... ) == 0x0
 01411   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01412   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01413   748   NtClose  (128, ... ) == 0x0
 01414   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01415   748   NtClose  (132, ... ) == 0x0
 01416   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01417   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01418   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238812,  (0x80100080, {24, 0, 0x40, 0, 1238812, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01419   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 128, ) == 0x0
 01420   748   NtClose  (132, ... ) == 0x0
 01421   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbf0000), {0, 0}, 180224, ) == 0x0
 01422   748   NtClose  (128, ... ) == 0x0
 01423   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01424   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01425   748   NtQueryDefaultLocale  (1, 1239432, ... ) == 0x0
 01426   748   NtQueryVirtualMemory  (-1, 0xbf0000, Basic, 28, ... {BaseAddress=0xbf0000,AllocationBase=0xbf0000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 01427   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01428   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01429   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01430   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01431   748   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01432   748   NtClose  (128, ... ) == 0x0
 01433   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01435   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238452, ... ) }, 1238452, ... ) == 0x0
 01436   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01437   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 01438   748   NtClose  (128, ... ) == 0x0
 01439   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01440   748   NtClose  (132, ... ) == 0x0
 01441   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01442   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238760, ... ) }, 1238760, ... ) == 0x0
 01443   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01444   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01445   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01446   748   NtClose  (132, ... ) == 0x0
 01447   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01448   748   NtClose  (128, ... ) == 0x0
 01449   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01450   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01451   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01452   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01453   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01454   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01455   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01456   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01457   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01458   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01459   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01460   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01461   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01462   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01463   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01464   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01465   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01466   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01467   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   748   NtUserGetDC  (0, ... ) == 0x1010052
 01469   748   NtUserSystemParametersInfo  (66, 12, 1238948, 0, ... ) == 0x1
 01470   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01471   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01472   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01473   748   NtContinue  (1237152, 0, ...
 01474   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01475   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01476   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01477   748   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF"}, ... 128, ) }, ... 128, ) == 0x0
 01478   748   NtQueryValueKey  (128,  (128, "Disable Thread Input Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   748   NtClose  (128, ... ) == 0x0
 01480   748   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01481   748   NtOpenProcessToken  (-1, 0xa, ... 128, ) == 0x0
 01482   748   NtDuplicateToken  (128, 0xc, {24, 0, 0x0, 0, 1240836, 0x0}, 0, 2, ... 132, ) == 0x0
 01483   748   NtClose  (128, ... ) == 0x0
 01484   748   NtAccessCheck  (1375016, 132, 0x1, 1240912, 1240964, 56, 1240944, ... (0x1), ) == 0x0
 01485   748   NtClose  (132, ... ) == 0x0
 01486   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\CTF\SystemShared"}, ... 132, ) }, ... 132, ) == 0x0
 01487   748   NtQueryValueKey  (132,  (132, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01488   748   NtClose  (132, ... ) == 0x0
 01489   748   NtUserGetImeInfoEx  (1240728, 0, ... ) == 0x1
 01490   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 01491   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01492   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01493   748   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01494   748   NtClose  (132, ... ) == 0x0
 01495   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01497   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237760, ... ) }, 1237760, ... ) == 0x0
 01498   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01499   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 128, ) == 0x0
 01500   748   NtClose  (132, ... ) == 0x0
 01501   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 180224, ) == 0x0
 01502   748   NtClose  (128, ... ) == 0x0
 01503   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01504   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1238068, ... ) }, 1238068, ... ) == 0x0
 01505   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01506   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 01507   748   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01508   748   NtClose  (128, ... ) == 0x0
 01509   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 01510   748   NtClose  (132, ... ) == 0x0
 01511   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01512   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01513   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01514   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01515   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01516   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01517   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01518   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01519   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01520   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01521   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01522   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01523   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01524   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01525   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01526   748   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 01527   748   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 01528   748   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 01529   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530   748   NtUserGetDC  (0, ... ) == 0x1010052
 01531   748   NtUserSystemParametersInfo  (66, 12, 1238256, 0, ... ) == 0x1
 01532   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01533   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01534   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01535   748   NtContinue  (1236460, 0, ...
 01536   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01537   748   NtUnmapViewOfSection  (-1, 0x755c0000, ... ) == 0x0
 01538   748   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01539   748   NtUserMessageCall  (0xa0102, WM_NCCALCSIZE, 0x0, 0x12f3cc, 0, 670, 1, ... ) == 0x0
 01540   748   NtUserGetClassName  (655618, 0, 1241236, ... ) == 0x6
 01541   748   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 01542   748   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 262144, 6881357, 7471203, 7536751}  (24, {24, 52, new_msg, 0, 262144, 6881357, 7471203, 7536751} "\0\0\0\0\5\4\3\0T\0e\0x\0t\0\354\2\0\0\34\357\22\0" ... {24, 52, reply, 0, 484, 748, 57975, 0} "\0\0\0\0\5\4\3\0\0\0\0\0x\0t\0\354\2\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 484, 748, 57975, 0}  (24, {24, 52, new_msg, 0, 262144, 6881357, 7471203, 7536751} "\0\0\0\0\5\4\3\0T\0e\0x\0t\0\354\2\0\0\34\357\22\0" ... {24, 52, reply, 0, 484, 748, 57975, 0} "\0\0\0\0\5\4\3\0\0\0\0\0x\0t\0\354\2\0\0\0\0\0\0" )  ) == 0x0
 01543   748   NtUserGetThreadDesktop  (748, 0, ... ) == 0x24
 01544   748   NtUserGetObjectInformation  (36, 2, 1240920, 520, 0, ... ) == 0x1
 01545   748   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 01546   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01547   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01548   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01549   748   NtQueryVirtualMemory  (-1, 0x7e418830, Basic, 28, ... {BaseAddress=0x7e418000,AllocationBase=0x7e410000,AllocationProtect=0x80,RegionSize=0x58000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01550   748   NtQueryVirtualMemory  (-1, 0x3b2fcf, Basic, 28, ... {BaseAddress=0x3b2000,AllocationBase=0x3b0000,AllocationProtect=0x40,RegionSize=0x42000,State=0x1000,Protect=0x40,Type=0x20000,}, 28, ) == 0x0
 01551   748   NtQueryVirtualMemory  (-1, 0x7c816fe0, Basic, 28, ... {BaseAddress=0x7c816000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x6e000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01552   748   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01553   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01554   748   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01555   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01556   748   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 01557   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 132, ) }, ... 132, ) == 0x0
 01558   748   NtQueryValueKey  (132,  (132, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (132, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   748   NtQueryValueKey  (132,  (132, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (132, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 01560   748   NtClose  (132, ... ) == 0x0
 01561   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1236420, ... ) }, 1236420, ... ) == 0x0
 01562   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01563   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 128, ) == 0x0
 01564   748   NtClose  (132, ... ) == 0x0
 01565   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbf0000), 0x0, 81920, ) == 0x0
 01566   748   NtClose  (128, ... ) == 0x0
 01567   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 01568   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1236728, ... ) }, 1236728, ... ) == 0x0
 01569   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01570   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 01571   748   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01572   748   NtClose  (128, ... ) == 0x0
 01573   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 01574   748   NtClose  (132, ... ) == 0x0
 01575   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 132, ) }, ... 132, ) == 0x0
 01576   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 01577   748   NtClose  (132, ... ) == 0x0
 01578   748   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01579   748   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01580   748   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01581   748   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01582   748   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01583   748   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01584   748   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01585   748   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01586   748   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01587   748   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 01588   748   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 01589   748   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 01590   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1235904, ... ) }, 1235904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1235904, ... ) }, 1235904, ... ) == 0x0
 01593   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01594   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01595   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01596   748   NtClose  (132, ... ) == 0x0
 01597   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 01598   748   NtClose  (128, ... ) == 0x0
 01599   748   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01600   748   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01601   748   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01602   748   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01603   748   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01604   748   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01605   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 128, ) }, ... 128, ) == 0x0
 01606   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 01607   748   NtClose  (128, ... ) == 0x0
 01608   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01609   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01610   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01611   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01612   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01613   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01614   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01615   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01616   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01617   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01618   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01619   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01620   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01621   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01622   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01623   748   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01624   748   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01625   748   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01626   748   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 01627   748   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 01628   748   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 01629   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1235904, ... ) }, 1235904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1235904, ... ) }, 1235904, ... ) == 0x0
 01632   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 01633   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 01634   748   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01635   748   NtClose  (128, ... ) == 0x0
 01636   748   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01637   748   NtClose  (132, ... ) == 0x0
 01638   748   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01639   748   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01640   748   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01641   748   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01642   748   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01643   748   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01644   748   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01645   748   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01646   748   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01647   748   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 01648   748   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 01649   748   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 01650   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1235904, ... ) }, 1235904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1235904, ... ) }, 1235904, ... ) == 0x0
 01653   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01654   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 01655   748   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01656   748   NtClose  (132, ... ) == 0x0
 01657   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 01658   748   NtClose  (128, ... ) == 0x0
 01659   748   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01660   748   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01661   748   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01662   748   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01663   748   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01664   748   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01665   748   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01666   748   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01667   748   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01668   748   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01669   748   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01670   748   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01671   748   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01672   748   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01673   748   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01674   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 128, ) }, ... 128, ) == 0x0
 01675   748   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01676   748   NtClose  (128, ... ) == 0x0
 01677   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01678   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01679   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01680   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01681   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01682   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01683   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01684   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01685   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01686   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01687   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01688   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01689   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01690   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01691   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01692   748   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01693   748   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01694   748   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01695   748   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01696   748   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01697   748   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01698   748   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 01699   748   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 01700   748   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 01701   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 01703   748   NtQueryValueKey  (128,  (128, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   748   NtClose  (128, ... ) == 0x0
 01705   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 01706   748   NtQueryValueKey  (128,  (128, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   748   NtClose  (128, ... ) == 0x0
 01708   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 128, ) }, ... 128, ) == 0x0
 01709   748   NtQueryValueKey  (128,  (128, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01710   748   NtClose  (128, ... ) == 0x0
 01711   748   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1234496, 0,  (0x1f0003, {24, 48, 0x80, 1234496, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 128, ) }, 0, 1, ... 128, ) == STATUS_OBJECT_NAME_EXISTS
 01712   748   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01713   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01714   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01715   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01716   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01717   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01718   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01719   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01720   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01721   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01722   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01723   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01724   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01725   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01726   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01727   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01728   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01729   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01730   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01731   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01732   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01733   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01734   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01735   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01736   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01737   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01738   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01739   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01740   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01741   748   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01742   748   NtClose  (132, ... ) == 0x0
 01743   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01744   748   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 136, ) }, ... 136, ) == 0x0
 01745   748   NtQueryValueKey  (136,  (136, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01746   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01747   748   NtQueryValueKey  (136,  (136, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01748   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01749   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01750   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01751   748   NtQueryDefaultLocale  (1, 1234248, ... ) == 0x0
 01752   748   NtClose  (136, ... ) == 0x0
 01753   748   NtClose  (132, ... ) == 0x0
 01754   748   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 01755   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01756   748   NtQueryValueKey  (132,  (132, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757   748   NtClose  (132, ... ) == 0x0
 01758   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01759   748   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   748   NtQueryValueKey  (132,  (132, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   748   NtClose  (132, ... ) == 0x0
 01762   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01764   748   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   748   NtClose  (132, ... ) == 0x0
 01766   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01769   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01770   748   NtQueryPerformanceCounter  (... {924897917, 10}, {3579545, 0}, ) == 0x0
 01771   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   748   NtQueryDefaultLocale  (1, 1236624, ... ) == 0x0
 01773   748   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01774   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01775   748   NtQueryValueKey  (132,  (132, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01776   748   NtClose  (132, ... ) == 0x0
 01777   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 01778   748   NtUserGetObjectInformation  (28, 1, 1236220, 12, 1236232, ... ) == 0x1
 01779   748   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 132, ) }, ... 132, ) == 0x0
 01781   748   NtQueryValueKey  (132,  (132, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 01782   748   NtClose  (132, ... ) == 0x0
 01783   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01784   748   NtQueryValueKey  (132,  (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01785   748   NtQueryValueKey  (132,  (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01786   748   NtClose  (132, ... ) == 0x0
 01787   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01788   748   NtQueryValueKey  (132,  (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01789   748   NtQueryValueKey  (132,  (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01790   748   NtClose  (132, ... ) == 0x0
 01791   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01792   748   NtQueryValueKey  (132,  (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01793   748   NtQueryValueKey  (132,  (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01794   748   NtClose  (132, ... ) == 0x0
 01795   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01796   748   NtQueryValueKey  (132,  (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01797   748   NtQueryValueKey  (132,  (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01798   748   NtClose  (132, ... ) == 0x0
 01799   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01800   748   NtQueryValueKey  (132,  (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01801   748   NtQueryValueKey  (132,  (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01802   748   NtClose  (132, ... ) == 0x0
 01803   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 01804   748   NtQueryValueKey  (132,  (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01805   748   NtQueryValueKey  (132,  (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01806   748   NtClose  (132, ... ) == 0x0
 01807   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 132, ) }, ... 132, ) == 0x0
 01808   748   NtQueryValueKey  (132,  (132, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01809   748   NtQueryValueKey  (132,  (132, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (132, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 01810   748   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01811   748   NtClose  (132, ... ) == 0x0
 01812   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 01813   748   NtCreateMutant  (0x1f0001, 0x0, 0, ... 136, ) == 0x0
 01814   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01815   748   NtCreateMutant  (0x1f0001, 0x0, 0, ... 144, ) == 0x0
 01816   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0
 01817   748   NtCreateMutant  (0x1f0001, 0x0, 0, ... 152, ) == 0x0
 01818   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 156, ) }, ... 156, ) == 0x0
 01819   748   NtQueryValueKey  (156,  (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01820   748   NtQueryValueKey  (156,  (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01821   748   NtQueryValueKey  (156,  (156, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   748   NtOpenKey  (0x1, {24, 156, 0x40, 0, 0,  (0x1, {24, 156, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   748   NtClose  (156, ... ) == 0x0
 01824   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1236136, ... ) }, 1236136, ... ) == 0x0
 01825   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 156, ) }, ... 156, ) == 0x0
 01826   748   NtQueryValueKey  (156,  (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01827   748   NtClose  (156, ... ) == 0x0
 01828   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 156, ) }, ... 156, ) == 0x0
 01829   748   NtQueryValueKey  (156,  (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 01830   748   NtClose  (156, ... ) == 0x0
 01831   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 156, ) }, ... 156, ) == 0x0
 01833   748   NtQueryValueKey  (156,  (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01834   748   NtClose  (156, ... ) == 0x0
 01835   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   748   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1378072, 0,  (0x1f0003, {24, 48, 0x80, 1378072, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 156, ) }, 0, 2147483647, ... 156, ) == STATUS_OBJECT_NAME_EXISTS
 01838   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   748   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01840   748   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 160, 2, ) }, 0, 0x0, 0, ... 160, 2, ) == 0x0
 01841   748   NtOpenKey  (0x10000, {24, 160, 0x40, 0, 0,  (0x10000, {24, 160, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   748   NtQueryValueKey  (160,  (160, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01843   748   NtQueryValueKey  (160,  (160, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01844   748   NtQueryValueKey  (160,  (160, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01845   748   NtQueryValueKey  (160,  (160, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01846   748   NtQueryValueKey  (160,  (160, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01847   748   NtQueryValueKey  (160,  (160, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   748   NtQueryValueKey  (160,  (160, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01849   748   NtQueryValueKey  (160,  (160, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01850   748   NtQueryValueKey  (160,  (160, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   748   NtQueryValueKey  (160,  (160, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01852   748   NtQueryValueKey  (160,  (160, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853   748   NtQueryValueKey  (160,  (160, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01854   748   NtCreateKey  (0x20119, {24, 160, 0x40, 0, 0,  (0x20119, {24, 160, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 164, 2, ) }, 0, 0x0, 0, ... 164, 2, ) == 0x0
 01855   748   NtCreateKey  (0x20119, {24, 160, 0x40, 0, 0,  (0x20119, {24, 160, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01856   748   NtClose  (160, ... ) == 0x0
 01857   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 160, ) }, ... 160, ) == 0x0
 01858   748   NtQueryValueKey  (160,  (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01859   748   NtClose  (160, ... ) == 0x0
 01860   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01861   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01862   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233664, ... ) }, 1233664, ... ) == 0x0
 01863   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01864   748   NtQueryDirectoryFile  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1,  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01865   748   NtClose  (160, ... ) == 0x0
 01866   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01867   748   NtQueryDirectoryFile  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1,  (160, 0, 0, 0, 1233092, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01868   748   NtClose  (160, ... ) == 0x0
 01869   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01870   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01871   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01872   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01873   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232312, ... ) }, 1232312, ... ) == 0x0
 01874   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1231084, ... ) }, 1231084, ... ) == 0x0
 01875   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01876   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01877   748   NtQueryValueKey  (164,  (164, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   748   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01879   748   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01880   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01881   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 160, ) }, ... 160, ) == 0x0
 01883   748   NtQueryValueKey  (160,  (160, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01884   748   NtClose  (160, ... ) == 0x0
 01885   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01887   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01888   748   NtQuerySystemTime  (... {-1139634462, 29916846}, ) == 0x0
 01889   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01890   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01892   748   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01893   748   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01894   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01895   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 01896   748   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01897   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$!\252\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01898   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01899   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01900   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01901   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01902   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01903   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01904   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01905   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01906   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "U\365Ie\256Z-V\3235\216!)\17\331\326\312d\341*|\357RK\315\264\347z\\250\225l\236H\332(\367\241\316\276IKi\\13l\373\355\235\320\37\254GO\6 \223\307\305\257fD\\272\33\206\214\200\313o\373\374%\334,\17P\216\204\35", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "U\365Ie\256Z-V\3235\216!)\17\331\326\312d\341*|\357RK\315\264\347z\\250\225l\236H\332(\367\241\316\276IKi\\13l\373\355\235\320\37\254GO\6 \223\307\305\257fD\\272\33\206\214\200\313o\373\374%\334,\17P\216\204\35", 80, ... ) , 80, ... ) == 0x0
 01907   748   NtClose  (-2147482740, ... ) == 0x0
 01897   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\314\357K\220\224\266s\224\221\351\2207\5/\237\22\251\14\352+P\236\24\225\377|Rw\227\23\20\155\215b{\206\221\262\341}\211%\210\262\224\331[O\231\205\336\215\224\330\216\307<\202\301d'\210\351\27\351\4\374\350\330.\207\266\17\371\337\201\360\246\356\26\262\335K\266v\225\200\247\344W\263\305\344\22!\220\322\362\12\367\261\272\212\255lR8$\373\375,oA\373A\266\362\267\227r\4x\375\360\317%\220\20\4`\314\354\177\222v\226\331\335g*\346\362G\325XJ, ) , ) == 0x0
 01908   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$%t\372\310\246?V\372G\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01909   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01910   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01911   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01912   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01913   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01914   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01915   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01916   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01917   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "9\236\262\333'\246\237\3722\0\3720\360\267\17p\337\271[\23\242\2011\243N\253\274\231Kx\31\3\373#k\372\341\217\5\21?<\202\243\205I\251\257\366/\10tYR\217<\177o}\307\242\352Q\306B\247\360\261\275\300\206\37\20\306\372\240\271Z7\32", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "9\236\262\333'\246\237\3722\0\3720\360\267\17p\337\271[\23\242\2011\243N\253\274\231Kx\31\3\373#k\372\341\217\5\21?<\202\243\205I\251\257\366/\10tYR\217<\177o}\307\242\352Q\306B\247\360\261\275\300\206\37\20\306\372\240\271Z7\32", 80, ... ) , 80, ... ) == 0x0
 01918   748   NtClose  (-2147482740, ... ) == 0x0
 01908   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "W9\303\4\353S\273\35\323\20\220;\323\315#J\316\260\25SdU|{|\2\221\272><\373\377\312:9\14\246WJ\216|P\216v4S\233PG%\2518\261\342O\33?\6w\366f\330\14\325<\236 g\373\36V\342s\215\244\341\257\211Bn\316\277i\270to\215-m\302j\366X_\375\37\2024\310I\223g\263\356\272\350\261le\273@\32J}\205\261\277\215\7\252\347\17\333sB\363\333W\272,\333\366M\2145q\323\34\326w\25\24\24\37\352\377<~]d\330\243 \36\317w\214\211\262\223\306\225Y\241\\21\307K\331\261Y\204?\11Du\246\357k*!\260]lvj\316l_W\253O\271\366p\316\326lQy, ) , ) == 0x0
 01919   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$%t\372\310\246?V\376\231\372\310\246?V\372G\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01920   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01921   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01922   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01923   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01924   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01925   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01926   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01927   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01928   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\355\205\334\260\200>\212\0bW\317\1\365J\\212\222\365l\251\226\212/\354\342\320$\\316\330K\325q\376Qu\1\215\255\320\200R\20D\324\12>\351\306\227\217\203O\321@x`\326\340i\333\253V\26\361\332p2\303\325\321\333\347\217\11\247\26y\333\37", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\355\205\334\260\200>\212\0bW\317\1\365J\\212\222\365l\251\226\212/\354\342\320$\\316\330K\325q\376Qu\1\215\255\320\200R\20D\324\12>\351\306\227\217\203O\321@x`\326\340i\333\253V\26\361\332p2\303\325\321\333\347\217\11\247\26y\333\37", 80, ... ) , 80, ... ) == 0x0
 01929   748   NtClose  (-2147482740, ... ) == 0x0
 01919   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "p\355+\260\177\3\337\202\2433\214\274\341\1\330\301\302\307?\322\223\4\223\351\316\274\364\351l\235~\273Q\25H\334\200?\207\214\373\11d\322%\205\355Uq=\272Z\205\260v\230\340V\2305:\274,\204r\351\206\203\371\371+\336E\273\304H\305\371~}\336\312\233\210\37\237B\311\374\202\3038s\341\303\324\333\372\213\25Ju\363a?\270\363\20|\1a\313\3`\274t\2277\3120\270\15`E\327\276\315\251\260{\277*6\362*\37\203.\314a\313\263\177\256\30\237/(\31\310\255\354\10\5\12\325\371\307W+\211\257\302A\275*\374c\34\317\354\25\0@D\314\241N\302+g5\226\330\366\305(c\233\223\2358\235\257\230\364Z\32V\317lL\5\303\232\270\35\37Tp\36\231\37\15i\317s\223\363\336\35\376\263\221r\372;\3654\265\23\32\362\344;\370#\3\224?\304\221\257\261S\237'>\277\225\207<"\3001"", ) \3001"", ) == 0x0
 01930   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$%t\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\372G\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01931   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01932   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01933   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01934   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01935   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01936   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01937   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01938   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01939   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "I\210\21b]\30\204\11\304g\244h!k\313U\343\10t\354\257\357\313\255\2066\272\213\225y\350\225\344\1\345\376\325\31\37\37w\31/\376\306\334\15\35\370\372l\213\22\324\26H\225\212?\367\13b&\346\204/\276aQ\232\20;x\237d{\12\11\272#", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "I\210\21b]\30\204\11\304g\244h!k\313U\343\10t\354\257\357\313\255\2066\272\213\225y\350\225\344\1\345\376\325\31\37\37w\31/\376\306\334\15\35\370\372l\213\22\324\26H\225\212?\367\13b&\346\204/\276aQ\232\20;x\237d{\12\11\272#", 80, ... ) , 80, ... ) == 0x0
 01940   748   NtClose  (-2147482740, ... ) == 0x0
 01930   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "}"Q\312\4\10<\314N\220G\302\213\336U\6gf\366\325T\221X\257I@\301\221p\231!\245\200\206\13\342W\355\225?\256\16\341NH\314\315\306^t\\356\35\342\26\2222n\352\363\225Z\306\373\36\221\257\275\331a\36)'jp\263\255\276B\227\261\200\370e\306\13*\253\277\261\214$/II\3347a\232\253\337\262\235\164k\316\30\242\350\3103\335:\314grjT\235z\307\236\306`\267\13\310\276\235\3f![\275Y\300\350O\2144\331\213U\316P\314k\3012\341\351\322\363\26\201N\246C*\33\222\214j\371\34vh\361\330\322\272\217E)\243=\303\350\313\244\214\36\2514+\2433\345O\311{[\243\374\356}\203Bc\227\342\234a\2155\363\227qKm\331\205\2T>\220\310p)`\355\363\3122h\3371\240r\315\277\350\2720/\315\35\222\177@\336\301\20\205\352\24\244\254GU\355\355i\7", ) Q\312\4\10<\314N\220G\302\213\336U\6gf\366\325T\221X\257I@\301\221p\231!\245\200\206\13\342W\355\225?\256\16\341NH\314\315\306^t\\356\35\342\26\2222n\352\363\225Z\306\373\36\221\257\275\331a\36)'jp\263\255\276B\227\261\200\370e\306\13*\253\277\261\214$/II\3347a\232\253\337\262\235\164k\316\30\242\350\3103\335:\314grjT\235z\307\236\306`\267\13\310\276\235\3f![\275Y\300\350O\2144\331\213U\316P\314k\3012\341\351\322\363\26\201N\246C*\33\222\214j\371\34vh\361\330\322\272\217E)\243=\303\350\313\244\214\36\2514+\2433\345O\311{[\243\374\356}\203Bc\227\342\234a\2155\363\227qKm\331\205\2T>\220\310p)`\355\363\3122h\3371\240r\315\277\350\2720/\315\35\222\177@\336\301\20\205\352\24\244\254GU\355\355i\7", ) == 0x0
 01941   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$%t\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\372G\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01942   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01943   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01944   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01945   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01946   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01947   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01948   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01949   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01950   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\267\321\255\201\301.\376\244q`\332\2674\314\327\350v\21\326\220\312\301\201M\237\357|$\336\15\7\236\311\350(\316\2\353\243\307\312\24\275\340t\5\10\206H^\200P]\235\210:\323u\213x4^\335\255i\11\363s\322"# \372\0ATX.R\6", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\267\321\255\201\301.\376\244q`\332\2674\314\327\350v\21\326\220\312\301\201M\237\357|$\336\15\7\236\311\350(\316\2\353\243\307\312\24\275\340t\5\10\206H^\200P]\235\210:\323u\213x4^\335\255i\11\363s\322"# \372\0ATX.R\6", 80, ... ) # \372\0ATX.R\6", 80, ... ) == 0x0
 01951   748   NtClose  (-2147482740, ... ) == 0x0
 01941   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\363\344\273BW\336X\321\237\275+\255\357\300V,\312\212\331C\230\337\331F3\7D\221\314N\245#F\335\364I\14G\264\243\341\346\27\32~\333rh\254*i\251\346\371\371\\367\347\35\230\367$\261N\274\216\334P\276\366\14\30\306\27\33h5\205\11><\311<\324 \261,O\302\241W\34o\330\243\222r\201>\216\244\371\366\214vU\270`\206)\343\311fXH\362\242\37\336,\263u\261\15o\322cI,B\376x0\371\204U(\23\0\347\355n4\227S\323zsIx\252\25\247\366\25cm\6C|\210\5\13\314\37?j\303\266\356Vx\263\15\303S\325\336W\303\36\260[\224R~w\356\276\345\26\247\265\326!~\327\274=\341\322\257\376\24'D\245\261\0\370\3pjU\36\34\23\250\271\4\36\246\217,l\310\310\237\202H\36464j#\224/FwOl\343\361\377\3\5*B\12\235[m4\6\222", ) , ) == 0x0
 01952   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$%t\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\372G\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01953   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01954   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01955   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01956   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01957   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01958   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01959   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01960   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01961   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\201\244\251\26\217\0\3604\336\36\25W\7\2713W\23\373\274\347\305\333ocC\360\34i\215\264\225!\221\36\16\262[\364k\7G\277Z\231\322P\271\300\21\343\6\26\352\236\21S\236\331hl\254f\21]0\237\337\247T\4\17n\334#\243\310\336\304\302\355", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\201\244\251\26\217\0\3604\336\36\25W\7\2713W\23\373\274\347\305\333ocC\360\34i\215\264\225!\221\36\16\262[\364k\7G\277Z\231\322P\271\300\21\343\6\26\352\236\21S\236\331hl\254f\21]0\237\337\247T\4\17n\334#\243\310\336\304\302\355", 80, ... ) , 80, ... ) == 0x0
 01962   748   NtClose  (-2147482740, ... ) == 0x0
 01952   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\212\212\356{}%\10/\306\364mpq\200)Jmx)\2hI\244J\335*\3142\240M\225mo\347s\225!\244i\2259\236\32\355\300\14]wg\265\15\375\344\261\22h\363\314_,\344\241\21\3%{+\367\2\203P\305\270\2\314Jy\375\1776\272$:\21B.\177\31\21*\12\22\212\276\3\307LH34H\206\264\270\354\250\262mI\3542}X\306\257\0\16\32r\251\11ys\7\364.PYE\376\24\7\265+,\322!\317\216O\0\310?\346\177r\266As\46\264l\267\3G\10\372\3\311D`\252D\276\227\304\350\210\200\210\326_\366k\326\377\333]\37\177Y8\277L\367w-J%\6`V*\323Fh%\162El\316\330\371O\7\342\317\33\217\17\220\312T\372\371e13\5\350\273\327y\273i\241\254H\206\336v!\367\303\15\11\6\323\2032\304\33[\4,k\273\243_C\3012\2258", ) , ) == 0x0
 01963   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\274|\352\3658\223\375\275\12I\312_i$%t\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\376\231\372\310\246?V\372G\315u\206Y\313\22B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01964   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01965   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01966   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01967   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01968   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01969   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01970   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01971   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 01972   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\211e\342\241{jl<\221\363\377\240QL\271\257>\331\210\1LD\37\304\374{\37g\305\303n\272\230~}\23\373\353\267T\0\205=\13\257\313\221\361\235\343\267\373]\250\224\24_\347\376o\2772\377(\\351\263^\31B\22\322K\11\236\311H\306\255\6", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\211e\342\241{jl<\221\363\377\240QL\271\257>\331\210\1LD\37\304\374{\37g\305\303n\272\230~}\23\373\353\267T\0\205=\13\257\313\221\361\235\343\267\373]\250\224\24_\347\376o\2772\377(\\351\263^\31B\22\322K\11\236\311H\306\255\6", 80, ... ) , 80, ... ) == 0x0
 01973   748   NtClose  (-2147482740, ... ) == 0x0
 01963   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ".\307q\373\303\352\316c\205xg\351\311%v\3312b<\376\332Y@\331g\317\376 Z\37z\253)Gf\353Z\304\276\230\201\355\232\Yc\202\6*tY`\236\37\210\252\263\374\30\36\261R\377<\231\236:\360\262Q\366\217\122\345\220z\271\343QXWG\370\316q\331\16K\25VB\330\242\215\261M\336\376\26\240&\274d\224\250\371\230W\37G8\315\344\340\17\22\357\223r\377\216\307\220\343\365\372\217i\25\217c^\372kB`\372\0\365\256f\305\6\305\213\321b\330\356&-L,L\214\320\331\214\363U@aYMf\365\2641=\0\252W\273\347\217\353\305!21\242\247K\13\254\207b2'H'Y%\3420sb:\254\347\210\234B\355\346\325v9\231\15\270\336\316G\274\2224\374*\301\202\356\241\25576\234\14\357/_\356\367\352V\353\1\1f\300\24pS\260\356\343\227\272\4\1\245,\245\356\350", ) , ) == 0x0
 01974   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 01975   748   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1231456, 188, ... 192, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1231456, 188, ... 192, 0x0, 0x0, 0x0, 188, ) == 0x0
 01976   748   NtRequestWaitReplyPort  (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2}  (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 484, 748, 57977, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260 (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 484, 748, 57977, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0(\0\0\0\270 (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 484, 748, 57977, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 484, 748, 57977, 0}  (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 484, 748, 57977, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0h\1\24\0\12\0\0\0\0\0\0\0\260 (192, {200, 224, new_msg, 0, 2621478, 1385184, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\002\24\0\270"\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 484, 748, 57977, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\002\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\2\0\0\0\326XlPa\236\310\211\260"\25\0h\1\24\0\12\0\0\0\0\0\0\0\260"\25\0(\0\0\0\270"\25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0\351\253ESx\1\24\0(\0\0\0\247S\0\0\0\0\24\0\274\310\22\0\252\1\0\0\0\0\0\0\20X\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\310\22\0\372\31\221|t\320\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) == 0x0
 01977   748   NtRequestWaitReplyPort  (192, {32, 56, new_msg, 0, 0, 0, 0, 0}  (192, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 484, 748, 57978, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ... {124, 148, reply, 0, 484, 748, 57978, 0}  (192, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 484, 748, 57978, 0} "\2\376\255\201\1\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\0\0\0\0\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371R\250S\200\304;\350\371\4\0\0\0\0\0\0\0\220\276u\201<(\255\201\7\0\0\0\304\277u\201]\0\0\0" )  ) == 0x0
 01978   748   NtRequestWaitReplyPort  (192, {44, 68, new_msg, 56, 484, 748, 57978, 0}  (192, {44, 68, new_msg, 56, 484, 748, 57978, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\0`%\25\0\10\5\0\0" ... {40, 64, reply, 0, 484, 748, 57979, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 484, 748, 57979, 0}  (192, {44, 68, new_msg, 56, 484, 748, 57978, 0} "\1\376\0\0B\2\5\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\1\0\0\0`%\25\0\10\5\0\0" ... {40, 64, reply, 0, 484, 748, 57979, 0} "\2\31\221|\4\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\14\5\0\0\320\371\15\0" )  ) == 0x0
 01979   748   NtRequestWaitReplyPort  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1385816, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1385816, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 484, 748, 57980, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 484, 748, 57980, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1385816, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 484, 748, 57980, 0} "\10\0\0\0@\0\1\1U\1\0\0\230\313\22\0`%\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\0`%\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01980   748   NtRequestWaitReplyPort  (192, {44, 68, new_msg, 56, 484, 748, 57979, 0}  (192, {44, 68, new_msg, 56, 484, 748, 57979, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\00*\25\0\10\5\0\0" ... {40, 64, reply, 0, 484, 748, 57981, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ... {40, 64, reply, 0, 484, 748, 57981, 0}  (192, {44, 68, new_msg, 56, 484, 748, 57979, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\00*\25\0\10\5\0\0" ... {40, 64, reply, 0, 484, 748, 57981, 0} "\2\376\255\201\4\0\0\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200X;\350\371\324\376\255\201\14\5\0\0\320\371\15\0" )  ) == 0x0
 01981   748   NtRequestWaitReplyPort  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1387048, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1387048, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 484, 748, 57982, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 484, 748, 57982, 0}  (192, {64, 88, new_msg, 56, 1385544, 1232032, 1387048, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 484, 748, 57982, 0} "\10\0\0\0@\0\1\1\273\0\0\0\230\313\22\00*\25\0\264\320\22\0\30\356\220|p\5\221|\1\0\0\00*\25\0\14\5\0\0\14\5\0\0\320\371\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01982   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 196, ) }, ... 196, ) == 0x0
 01983   748   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "ActiveComputerName"}, ... 200, ) }, ... 200, ) == 0x0
 01984   748   NtQueryValueKey  (200,  (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01985   748   NtClose  (200, ... ) == 0x0
 01986   748   NtClose  (196, ... ) == 0x0
 01987   748   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 196, ) == 0x0
 01988   748   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 200, ) == 0x0
 01989   748   NtDuplicateObject  (-1, 196, -1, 0x0, 0, 2, ... 204, ) == 0x0
 01990   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01991   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 01992   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01993   748   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01994   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231492,  (0xc0100080, {24, 0, 0x40, 0, 1231492, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 01995   748   NtSetInformationFile  (212, 1231548, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01996   748   NtSetInformationFile  (212, 1231536, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01997   748   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01998   748   NtWriteFile  (212, 181, 0, 0,  (212, 181, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01999   748   NtReadFile  (212, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (212, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02000   748   NtFsControlFile  (212, 181, 0x0, 0x0, 0x11c017,  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20,+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02001   748   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02002   748   NtFsControlFile  (212, 181, 0x0, 0x0, 0x11c017,  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22\0\0\0\0", ) , ) == 0x103
 02003   748   NtFsControlFile  (212, 181, 0x0, 0x0, 0x11c017,  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (212, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24\316\274T\274\235tH\233\354\372\234W@\301\22", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02004   748   NtClose  (208, ... ) == 0x0
 02005   748   NtClose  (212, ... ) == 0x0
 02006   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02007   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 02008   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02009   748   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02010   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1231464,  (0xc0100080, {24, 0, 0x40, 0, 1231464, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) == 0x0
 02011   748   NtSetInformationFile  (208, 1231520, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02012   748   NtSetInformationFile  (208, 1231508, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02013   748   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02014   748   NtWriteFile  (208, 181, 0, 0,  (208, 181, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02015   748   NtReadFile  (208, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (208, 181, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02016   748   NtFsControlFile  (208, 181, 0x0, 0x0, 0x11c017,  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\321\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02017   748   NtFsControlFile  (208, 181, 0x0, 0x0, 0x11c017,  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\1\0\0\0\1\0\0\0,\0.\0\0\324\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0as\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216\0\0\0\0", ) , ) == 0x103
 02018   748   NtFsControlFile  (208, 181, 0x0, 0x0, 0x11c017,  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (208, 181, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2169\4V\276h{J\225\236o\243\366\340=\216", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\3400\25\0\1\0\0\0\3540\25\0 \0\0\0\1\0\0\0\16\0\20\0\3700\25\0\101\25\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\5\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0H1\25\0\1\0\0\0\1\0\0\0X1\25\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02019   748   NtClose  (212, ... ) == 0x0
 02020   748   NtClose  (208, ... ) == 0x0
 02021   748   NtOpenProcessToken  (-1, 0x20008, ... 208, ) == 0x0
 02022   748   NtQueryInformationToken  (208, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02023   748   NtQueryInformationToken  (208, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 02024   748   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 212, ) }, ... 212, ) == 0x0
 02025   748   NtUserOpenWindowStation  ({24, 212, 0x40, 0, 0,  ({24, 212, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0xd8
 02026   748   NtClose  (212, ... ) == 0x0
 02027   748   NtUserCloseWindowStation  (216, ...
 02028   748   NtClose  (216, ... ) == 0x0
 02027   748   NtUserCloseWindowStation  ... ) == 0x1
 02029   748   NtClose  (208, ... ) == 0x0
 02030   748   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 208, ) == 0x0
 02031   748   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 216, ) == 0x0
 02032   748   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 212, ) == 0x0
 02033   748   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 220, ) == 0x0
 02034   748   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 224, ) == 0x0
 02035   748   NtMapViewOfSection  (224, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xbf0000), {0, 0}, 8192, ) == 0x0
 02036   748   NtQueryDefaultUILanguage  (1232156, ...
 02037   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02038   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 02039   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02040   748   NtClose  (-2147482740, ... ) == 0x0
 02041   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 02042   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 02044   748   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02045   748   NtClose  (-2147481328, ... ) == 0x0
 02046   748   NtClose  (-2147482740, ... ) == 0x0
 02036   748   NtQueryDefaultUILanguage  ... ) == 0x0
 02047   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02048   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02049   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230400, ... ) }, 1230400, ... ) == 0x0
 02050   748   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02051   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 02052   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02053   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02054   748   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1231508,  (0x10100080, {24, 0, 0x40, 0, 1231508, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\90f_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 02055   748   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02056   748   NtClose  (-2147482740, ... ) == 0x0
 02057   748   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02058   748   NtClose  (-2147482740, ... ) == 0x0
 02059   748   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02060   748   NtClose  (-2147482740, ... ) == 0x0
 02054   748   NtCreateFile  ... 228, {status=0x0, info=2}, ) == 0x0
 02061   748   NtClose  (228, ... ) == 0x0
 02062   748   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 02063   748   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02064   748   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 228, {status=0x0, info=1}, ) }, 3, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02065   748   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 232, ) }, ... 232, ) == 0x0
 02066   748   NtQuerySymbolicLinkObject  (232, ...  (232, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 02067   748   NtClose  (232, ... ) == 0x0
 02068   748   NtQueryVolumeInformationFile  (228, 1230724, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02069   748   NtClose  (228, ... ) == 0x0
 02070   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 02071   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02072   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 228, ... 232, ) == 0x0
 02073   748   NtClose  (228, ... ) == 0x0
 02074   748   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc00000), 0x0, 126976, ) == 0x0
 02075   748   NtClose  (232, ... ) == 0x0
 02076   748   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02077   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1229828, ... ) }, 1229828, ... ) == 0x0
 02078   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 02079   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 228, ) == 0x0
 02080   748   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02081   748   NtClose  (232, ... ) == 0x0
 02082   748   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02083   748   NtClose  (228, ... ) == 0x0
 02084   748   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02085   748   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02086   748   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02087   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   748   NtAllocateVirtualMemory  (-1, 1392640, 0, 12288, 4096, 4, ... 1392640, 12288, ) == 0x0
 02089   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1231216, ... ) }, 1231216, ... ) == 0x0
 02090   748   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1231224,  (0x40100080, {24, 0, 0x40, 0, 1231224, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\90f_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02091   748   NtClose  (-2147482740, ... ) == 0x0
 02092   748   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02093   748   NtClose  (-2147482740, ... ) == 0x0
 02094   748   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02095   748   NtClose  (-2147482740, ... ) == 0x0
 02096   748   NtQueryDirectoryFile  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482740, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02097   748   NtClose  (-2147482740, ... ) == 0x0
 02090   748   NtCreateFile  ... 228, {status=0x0, info=3}, ) == 0x0
 02098   748   NtAllocateVirtualMemory  (-1, 1404928, 0, 12288, 4096, 4, ... 1404928, 12288, ) == 0x0
 02099   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02100   748   NtQueryDirectoryFile  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1,  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02101   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 02102   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (228, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (228, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 02103   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 02104   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230308, ... ) }, 1230308, ... ) == 0x0
 02105   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02106   748   NtQueryDirectoryFile  (236, 0, 0, 0, 1229920, 592, Directory, 1,  (236, 0, 0, 0, 1229920, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 02107   748   NtClose  (236, ... ) == 0x0
 02108   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02109   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02110   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1228840, ... ) }, 1228840, ... ) == 0x0
 02111   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1227612, ... ) }, 1227612, ... ) == 0x0
 02112   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02113   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02114   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0
 02115   748   NtQueryInformationFile  (236, 1230396, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02116   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02117   748   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc00000), 0x0, 253952, ) == 0x0
 02118   748   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02119   748   NtClose  (240, ... ) == 0x0
 02120   748   NtClose  (236, ... ) == 0x0
 02121   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \02\05\00\08\08\00\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\09\02\0E\04\0B\0E\0B\0D\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\03\0B\06\00\0F\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\02\05\00\08\08\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\09\02\0E\04\0B\0E\0B\0D\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\03\0B\06\00\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\03\0/\02\00\00\07\0 \01\00\0:\00\07\0:\04\01\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 02122   748   NtContinue  (-139616172, 0, ...
 02121   748   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 02123   748   NtQueryDirectoryFile  (232, 0, 0, 0, 1405864, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02124   748   NtClose  (232, ... ) == 0x0
 02125   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 02126   748   NtClose  (228, ... ) == 0x0
 02127   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1231216, ... ) }, 1231216, ... ) == 0x0
 02128   748   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1231224,  (0x40100080, {24, 0, 0x40, 0, 1231224, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\90f_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 228, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 228, {status=0x0, info=1}, ) == 0x0
 02129   748   NtQueryInformationFile  (228, 1231248, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02130   748   NtSetInformationFile  (228, 1231280, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02131   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02132   748   NtQueryDirectoryFile  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1,  (232, 0, 0, 0, 1229928, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02133   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (228, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 02134   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230280, ... ) }, 1230280, ... ) == 0x0
 02135   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02136   748   NtQueryDirectoryFile  (236, 0, 0, 0, 1229920, 592, Directory, 1,  (236, 0, 0, 0, 1229920, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 02137   748   NtClose  (236, ... ) == 0x0
 02138   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02139   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02140   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1228840, ... ) }, 1228840, ... ) == 0x0
 02141   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1227612, ... ) }, 1227612, ... ) == 0x0
 02142   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02143   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02144   748   NtQueryDefaultLocale  (1, 1229800, ... ) == 0x0
 02145   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02146   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02147   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1228832, ... ) }, 1228832, ... ) == 0x0
 02148   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1227604, ... ) }, 1227604, ... ) == 0x0
 02149   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02150   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02151   748   NtQueryDefaultLocale  (1, 1229792, ... ) == 0x0
 02152   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0
 02153   748   NtQueryInformationFile  (236, 1230396, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02154   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02155   748   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc00000), 0x0, 987136, ) == 0x0
 02156   748   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02157   748   NtClose  (240, ... ) == 0x0
 02158   748   NtClose  (236, ... ) == 0x0
 02159   748   NtQueryDefaultUILanguage  (1229752, ...
 02160   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02161   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 02162   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02163   748   NtClose  (-2147482740, ... ) == 0x0
 02164   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 02165   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 02167   748   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   748   NtClose  (-2147481328, ... ) == 0x0
 02169   748   NtClose  (-2147482740, ... ) == 0x0
 02159   748   NtQueryDefaultUILanguage  ... ) == 0x0
 02170   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (228, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 02171   748   NtQueryDirectoryFile  (232, 0, 0, 0, 1397160, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02172   748   NtClose  (232, ... ) == 0x0
 02173   748   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 02174   748   NtClose  (228, ... ) == 0x0
 02175   748   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 02176   748   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02177   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228488, ... ) }, 1228488, ... ) == 0x0
 02178   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02179   748   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02180   748   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 228, ... 232, ) == 0x0
 02181   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 236, ) }, ... 236, ) == 0x0
 02183   748   NtQueryValueKey  (236,  (236, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   748   NtClose  (236, ... ) == 0x0
 02185   748   NtQueryVolumeInformationFile  (228, 1228500, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02186   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 02187   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 02188   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226432, ... ) }, 1226432, ... ) == 0x0
 02189   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02190   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 236, ... 240, ) == 0x0
 02191   748   NtClose  (236, ... ) == 0x0
 02192   748   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc00000), 0x0, 126976, ) == 0x0
 02193   748   NtClose  (240, ... ) == 0x0
 02194   748   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02195   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1226740, ... ) }, 1226740, ... ) == 0x0
 02196   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 240, {status=0x0, info=1}, ) }, 5, 96, ... 240, {status=0x0, info=1}, ) == 0x0
 02197   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 240, ... 236, ) == 0x0
 02198   748   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02199   748   NtClose  (240, ... ) == 0x0
 02200   748   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02201   748   NtClose  (236, ... ) == 0x0
 02202   748   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02203   748   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02204   748   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02205   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0
 02207   748   NtQueryInformationFile  (236, 1226756, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02208   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 236, ... 240, ) == 0x0
 02209   748   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc00000), 0x0, 1191936, ) == 0x0
 02210   748   NtQueryInformationFile  (236, 1226856, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02211   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   748   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 02213   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02214   748   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02215   748   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   748   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 244, ) }, ... 244, ) == 0x0
 02217   748   NtQueryValueKey  (244,  (244, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (244, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02218   748   NtClose  (244, ... ) == 0x0
 02219   748   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02221   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224452, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224452, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02222   748   NtClose  (244, ... ) == 0x0
 02223   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02224   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02225   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224828, ... ) }, 1224828, ... ) == 0x0
 02226   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02227   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02228   748   NtClose  (244, ... ) == 0x0
 02229   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02230   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02231   748   NtClose  (244, ... ) == 0x0
 02232   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02233   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224256, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02234   748   NtClose  (244, ... ) == 0x0
 02235   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02236   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02237   748   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02238   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02240   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02241   748   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02242   748   NtClose  (244, ... ) == 0x0
 02243   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1225660, ... ) }, 1225660, ... ) == 0x0
 02246   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02247   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02248   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224528, ... ) }, 1224528, ... ) == 0x0
 02249   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02250   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 248, ) == 0x0
 02251   748   NtClose  (244, ... ) == 0x0
 02252   748   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd30000), 0x0, 180224, ) == 0x0
 02253   748   NtClose  (248, ... ) == 0x0
 02254   748   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02255   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224124, ... ) }, 1224124, ... ) == 0x0
 02256   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1224868,  (0x80100080, {24, 0, 0x40, 0, 1224868, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 02257   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 244, ) == 0x0
 02258   748   NtClose  (248, ... ) == 0x0
 02259   748   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xd30000), {0, 0}, 180224, ) == 0x0
 02260   748   NtClose  (244, ... ) == 0x0
 02261   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02262   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02263   748   NtQueryDefaultLocale  (1, 1225488, ... ) == 0x0
 02264   748   NtQueryVirtualMemory  (-1, 0xd30000, Basic, 28, ... {BaseAddress=0xd30000,AllocationBase=0xd30000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02265   748   NtQueryVirtualMemory  (-1, 0xd30000, Basic, 28, ... {BaseAddress=0xd30000,AllocationBase=0xd30000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02266   748   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02267   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02268   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02269   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224520, ... ) }, 1224520, ... ) == 0x0
 02270   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 02271   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 248, ) == 0x0
 02272   748   NtClose  (244, ... ) == 0x0
 02273   748   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd30000), 0x0, 180224, ) == 0x0
 02274   748   NtClose  (248, ... ) == 0x0
 02275   748   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02276   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1224116, ... ) }, 1224116, ... ) == 0x0
 02277   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1224860,  (0x80100080, {24, 0, 0x40, 0, 1224860, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 248, {status=0x0, info=1}, ) == 0x0
 02278   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 248, ... 244, ) == 0x0
 02279   748   NtClose  (248, ... ) == 0x0
 02280   748   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xd30000), {0, 0}, 180224, ) == 0x0
 02281   748   NtClose  (244, ... ) == 0x0
 02282   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02283   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02284   748   NtQueryDefaultLocale  (1, 1225480, ... ) == 0x0
 02285   748   NtQueryVirtualMemory  (-1, 0xd30000, Basic, 28, ... {BaseAddress=0xd30000,AllocationBase=0xd30000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02286   748   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 02287   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02289   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02290   748   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02291   748   NtClose  (244, ... ) == 0x0
 02292   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02294   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02295   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1226080, ... ) }, 1226080, ... ) == 0x0
 02296   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02297   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1,  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02298   748   NtClose  (244, ... ) == 0x0
 02299   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02300   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1,  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02301   748   NtClose  (244, ... ) == 0x0
 02302   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02303   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1,  (244, 0, 0, 0, 1225508, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02304   748   NtClose  (244, ... ) == 0x0
 02305   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02306   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02307   748   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 02308   748   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 02309   748   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02310   748   NtClose  (240, ... ) == 0x0
 02311   748   NtClose  (236, ... ) == 0x0
 02312   748   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02313   748   NtOpenProcessToken  (-1, 0xa, ... 236, ) == 0x0
 02314   748   NtQueryInformationToken  (236, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02315   748   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02317   748   NtQueryValueKey  (240,  (240, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (240, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02318   748   NtQueryValueKey  (240,  (240, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (240, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02319   748   NtClose  (240, ... ) == 0x0
 02320   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02322   748   NtQueryValueKey  (240,  (240, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   748   NtClose  (240, ... ) == 0x0
 02324   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02325   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02326   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02327   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02328   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02329   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02330   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02331   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02332   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02333   748   NtQueryDefaultLocale  (1, 1227928, ... ) == 0x0
 02334   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 240, ) }, ... 240, ) == 0x0
 02335   748   NtEnumerateKey  (240, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (240, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02336   748   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 244, ) }, ... 244, ) == 0x0
 02337   748   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02338   748   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02339   748   NtClose  (244, ... ) == 0x0
 02340   748   NtEnumerateKey  (240, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02341   748   NtClose  (240, ... ) == 0x0
 02342   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 240, ) }, ... 240, ) == 0x0
 02343   748   NtEnumerateKey  (240, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02344   748   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 244, ) }, ... 244, ) == 0x0
 02345   748   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02346   748   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02347   748   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02348   748   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02349   748   NtClose  (244, ... ) == 0x0
 02350   748   NtEnumerateKey  (240, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02351   748   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 244, ) }, ... 244, ) == 0x0
 02352   748   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02353   748   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02354   748   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02355   748   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02356   748   NtClose  (244, ... ) == 0x0
 02357   748   NtEnumerateKey  (240, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02358   748   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 244, ) }, ... 244, ) == 0x0
 02359   748   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02360   748   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02361   748   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02362   748   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02363   748   NtClose  (244, ... ) == 0x0
 02364   748   NtEnumerateKey  (240, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02365   748   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 244, ) }, ... 244, ) == 0x0
 02366   748   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02367   748   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02368   748   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02369   748   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02370   748   NtClose  (244, ... ) == 0x0
 02371   748   NtEnumerateKey  (240, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (240, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02372   748   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 244, ) }, ... 244, ) == 0x0
 02373   748   NtQueryValueKey  (244,  (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (244, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02374   748   NtQueryValueKey  (244,  (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02375   748   NtQueryValueKey  (244,  (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (244, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02376   748   NtQueryValueKey  (244,  (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (244, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02377   748   NtClose  (244, ... ) == 0x0
 02378   748   NtEnumerateKey  (240, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02379   748   NtClose  (240, ... ) == 0x0
 02380   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02381   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02382   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02383   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02384   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02385   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02386   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02387   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02388   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02389   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02393   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02394   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02395   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02396   748   NtClose  (240, ... ) == 0x0
 02397   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02399   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02400   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02401   748   NtClose  (240, ... ) == 0x0
 02402   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02404   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02405   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02406   748   NtClose  (240, ... ) == 0x0
 02407   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02409   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02410   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02411   748   NtClose  (240, ... ) == 0x0
 02412   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02414   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02415   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02416   748   NtClose  (240, ... ) == 0x0
 02417   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02419   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02420   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02421   748   NtClose  (240, ... ) == 0x0
 02422   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02423   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02424   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02425   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02426   748   NtClose  (240, ... ) == 0x0
 02427   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02429   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02430   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02431   748   NtClose  (240, ... ) == 0x0
 02432   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02434   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02435   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02436   748   NtClose  (240, ... ) == 0x0
 02437   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02438   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02439   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02440   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02441   748   NtClose  (240, ... ) == 0x0
 02442   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02444   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02445   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02446   748   NtClose  (240, ... ) == 0x0
 02447   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02448   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02449   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02450   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02451   748   NtClose  (240, ... ) == 0x0
 02452   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02453   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02454   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02455   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02456   748   NtClose  (240, ... ) == 0x0
 02457   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02458   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02459   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02460   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02461   748   NtClose  (240, ... ) == 0x0
 02462   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02463   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02464   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02465   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02466   748   NtClose  (240, ... ) == 0x0
 02467   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02468   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02469   748   NtQueryValueKey  (240,  (240, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (240, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (240, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02470   748   NtClose  (240, ... ) == 0x0
 02471   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02472   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 240, ) == 0x0
 02473   748   NtQueryInformationToken  (240, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02474   748   NtClose  (240, ... ) == 0x0
 02475   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02476   748   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02477   748   NtOpenProcessToken  (-1, 0xa, ... 240, ) == 0x0
 02478   748   NtDuplicateToken  (240, 0xc, {24, 0, 0x0, 0, 1228360, 0x0}, 0, 2, ... 244, ) == 0x0
 02479   748   NtClose  (240, ... ) == 0x0
 02480   748   NtAccessCheck  (1379992, 244, 0x1, 1228436, 1228488, 56, 1228468, ... (0x1), ) == 0x0
 02481   748   NtClose  (244, ... ) == 0x0
 02482   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 244, ) }, ... 244, ) == 0x0
 02483   748   NtQueryValueKey  (244,  (244, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (244, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02484   748   NtClose  (244, ... ) == 0x0
 02485   748   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 244, ) }, ... 244, ) == 0x0
 02486   748   NtQuerySymbolicLinkObject  (244, ...  (244, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02487   748   NtClose  (244, ... ) == 0x0
 02488   748   NtQueryVolumeInformationFile  (228, 1226192, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02489   748   NtQueryInformationFile  (228, 1226308, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 02490   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02491   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02492   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1225480, ... ) }, 1225480, ... ) == 0x0
 02493   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02494   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02495   748   NtClose  (244, ... ) == 0x0
 02496   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02497   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02498   748   NtClose  (244, ... ) == 0x0
 02499   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 244, {status=0x0, info=1}, ) }, 3, 16417, ... 244, {status=0x0, info=1}, ) == 0x0
 02500   748   NtQueryDirectoryFile  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1,  (244, 0, 0, 0, 1224908, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02501   748   NtClose  (244, ... ) == 0x0
 02502   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02503   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02504   748   NtQueryInformationFile  (228, 1228348, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02505   748   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 228, ... 244, ) == 0x0
 02506   748   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0xc00000), {0, 0}, 180224, ) == 0x0
 02507   748   NtClose  (244, ... ) == 0x0
 02508   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02509   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 244, ) == 0x0
 02510   748   NtQueryInformationToken  (244, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02511   748   NtClose  (244, ... ) == 0x0
 02512   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 244, ) }, ... 244, ) == 0x0
 02513   748   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 240, ) }, ... 240, ) == 0x0
 02514   748   NtClose  (244, ... ) == 0x0
 02515   748   NtQueryValueKey  (240,  (240, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02516   748   NtQueryValueKey  (240,  (240, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (240, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02517   748   NtClose  (240, ... ) == 0x0
 02518   748   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 02519   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 12582912, 4096, ) == 0x0
 02520   748   NtAllocateVirtualMemory  (-1, 12582912, 0, 4096, 4096, 4, ... 12582912, 4096, ) == 0x0
 02521   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 240, ) }, ... 240, ) == 0x0
 02522   748   NtQueryValueKey  (240,  (240, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523   748   NtClose  (240, ... ) == 0x0
 02524   748   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02525   748   NtQueryInformationToken  (236, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02526   748   NtQueryInformationToken  (236, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02527   748   NtClose  (236, ... ) == 0x0
 02528   748   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02529   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   748   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02531   748   NtCreateProcessEx  (1230272, 2035711, 0, -1, 4, 232, 0, 0, 0, ... ) == 0x0
 02532   748   NtSetInformationProcess  (236, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 02533   748   NtSetInformationProcess  (236, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02534   748   NtQueryInformationProcess  (236, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd9000,AffinityMask=0x1,BasePriority=8,Pid=1784,ParentPid=484,}, 0x0, ) == 0x0
 02535   748   NtReadVirtualMemory  (236, 0x7ffd9008, 4, ...  (236, 0x7ffd9008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 02536   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02537   748   NtReadVirtualMemory  (236, 0x30000000, 4096, ...  (236, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 02538   748   NtReadVirtualMemory  (236, 0x30033000, 256, ...  (236, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 02539   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02540   748   NtQueryInformationProcess  (236, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd9000,AffinityMask=0x1,BasePriority=8,Pid=1784,ParentPid=484,}, 0x0, ) == 0x0
 02541   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02542   748   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 12648448, 4096, ) == 0x0
 02543   748   NtAllocateVirtualMemory  (236, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02544   748   NtWriteVirtualMemory  (236, 0x10000,  (236, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02545   748   NtAllocateVirtualMemory  (236, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 02546   748   NtWriteVirtualMemory  (236, 0x20000,  (236, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 02547   748   NtWriteVirtualMemory  (236, 0x7ffd9010,  (236, 0x7ffd9010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02548   748   NtAllocateVirtualMemory  (236, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 02549   748   NtWriteVirtualMemory  (236, 0x30000,  (236, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 02550   748   NtWriteVirtualMemory  (236, 0x7ffd91e8,  (236, 0x7ffd91e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02551   748   NtFreeVirtualMemory  (-1, (0xc10000), 0, 32768, ... (0xc10000), 4096, ) == 0x0
 02552   748   NtAllocateVirtualMemory  (236, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 02553   748   NtAllocateVirtualMemory  (236, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 02554   748   NtProtectVirtualMemory  (236, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 02555   748   NtCreateThread  (0x1f03ff, 0x0, 236, 1230280, 1229944, 1, ... 240, {1784, 1480}, ) == 0x0
 02556   748   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\357\0\0\0\360\0\0\0\370\6\0\0\310\5\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\25\0\10 \0\0" ... {168, 196, reply, 0, 484, 748, 57983, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\354\0\0\0\360\0\0\0\370\6\0\0\310\5\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\25\0\10 \0\0" )  ... {168, 196, reply, 0, 484, 748, 57983, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\357\0\0\0\360\0\0\0\370\6\0\0\310\5\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\25\0\10 \0\0" ... {168, 196, reply, 0, 484, 748, 57983, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\354\0\0\0\360\0\0\0\370\6\0\0\310\5\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\311\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\375\177\0\0\0\0\0\0\25\0\10 \0\0" )  ) == 0x0
 02557   748   NtResumeThread  (240, ... 1, ) == 0x0
 02558   748   NtClose  (228, ... ) == 0x0
 02559   748   NtClose  (232, ... ) == 0x0
 02560   748   NtClose  (240, ... ) == 0x0
 02561   748   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02562   748   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x102
 02563   748   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02564   748   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x102
 02565   748   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02566   748   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x102
 02567   748   NtWaitForMultipleObjects  (2, (216, 236, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 02568   748   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 02569   748   NtClose  (236, ... ) == 0x0
 02570   748   NtUnmapViewOfSection  (-1, 0xbf0000, ... ) == 0x0
 02571   748   NtClose  (224, ... ) == 0x0
 02572   748   NtClose  (208, ... ) == 0x0
 02573   748   NtClose  (216, ... ) == 0x0
 02574   748   NtClose  (212, ... ) == 0x0
 02575   748   NtClose  (220, ... ) == 0x0
 02576   748   NtClose  (164, ... ) == 0x0
 02577   748   NtClose  (168, ... ) == 0x0
 02578   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02579   748   NtWaitForMultipleObjects  (2, (132, 136, ), 1, 0, 0x0, ... ) == 0x1
 02580   748   NtClose  (136, ... ) == 0x0
 02581   748   NtSetEvent  (132, ... 0x0, ) == 0x0
 02582   748   NtClose  (132, ... ) == 0x0
 02583   748   NtWaitForMultipleObjects  (2, (140, 144, ), 1, 0, 0x0, ... ) == 0x1
 02584   748   NtClose  (144, ... ) == 0x0
 02585   748   NtSetEvent  (140, ... 0x0, ) == 0x0
 02586   748   NtClose  (140, ... ) == 0x0
 02587   748   NtWaitForMultipleObjects  (2, (148, 152, ), 1, 0, 0x0, ... ) == 0x1
 02588   748   NtClose  (152, ... ) == 0x0
 02589   748   NtSetEvent  (148, ... 0x0, ) == 0x0
 02590   748   NtClose  (148, ... ) == 0x0
 02591   748   NtRequestWaitReplyPort  (192, {88, 112, new_msg, 0, 484, 748, 57981, 0}  (192, {88, 112, new_msg, 0, 484, 748, 57981, 0} "\1\376\0\0A\2<\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371" ... {124, 148, reply, 0, 484, 748, 58110, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ... {124, 148, reply, 0, 484, 748, 58110, 0}  (192, {88, 112, new_msg, 0, 484, 748, 57981, 0} "\1\376\0\0A\2<\0\200Y\274\201V\347\340\341\264\311\275\201:\332R\200\377\377\377\377\324\376\255\201\0\0\0\0)%\25E?>\A\250\245\22\360\331E\16S\331E\16S\10\210\300\310\0\0\0\3\1\0\0\3\1\0\0\10A\210\300\0@\250\300\220\276u\201\264;\350\371" ... {124, 148, reply, 0, 484, 748, 58110, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\260\375\177\220k\364\367\370\37`\300lk\364\367X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\300\375\177(l\364\367\253\362Q\200\324k\364\367\300\250U\200aFT\200\0\0\0\0h\242\250\201\0;\251\201\1`\202\201\0\0\0\0\0\376?\300\344\243n\371\20W\271\201\2\0\0\0\240V\271\201\240V\271\201" )  ) == 0x0
 02592   748   NtClose  (188, ... ) == 0x0
 02593   748   NtClose  (192, ... ) == 0x0
 02594   748   NtClose  (128, ... ) == 0x0
 02595   748   NtUnmapViewOfSection  (-1, 0x69450000, ... ) == 0x0
 02596   748   NtUnmapViewOfSection  (-1, 0x77920000, ... ) == 0x0
 02597   748   NtUnmapViewOfSection  (-1, 0x76f50000, ... ) == 0x0
 02598   748   NtUnmapViewOfSection  (-1, 0x76360000, ... ) == 0x0
 02599   748   NtUnmapViewOfSection  (-1, 0x5b860000, ... ) == 0x0
 02600   748   NtUnmapViewOfSection  (-1, 0x769c0000, ... ) == 0x0
 02601   748   NtContinue  (1239608, 0, ...
 02602   748   NtTerminateProcess  (0, -1073741680, ... ) == 0x0
 02603   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02604   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 02605   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 02606   748   NtClose  (156, ... ) == 0x0
 02607   748   NtUserPostThreadMessage  (1748, 49315, 0, 748, ... ) == 0x1
 02608   748   NtUserPostThreadMessage  (416, 49315, 0, 748, ... ) == 0x1
 02609   748   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02610   748   NtUserUnhookWindowsHookEx  (393695, ... ) == 0x1
 02611   748   NtUserUnhookWindowsHookEx  (1573423, ... ) == 0x1
 02612   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02613   748   NtUnmapViewOfSection  (-1, 0xba0000, ... ) == 0x0
 02614   748   NtClose  (116, ... ) == 0x0
 02615   748   NtClose  (112, ... ) == 0x0
 02616   748   NtClose  (92, ... ) == 0x0
 02617   748   NtClose  (96, ... ) == 0x0
 02618   748   NtClose  (100, ... ) == 0x0
 02619   748   NtClose  (104, ... ) == 0x0
 02620   748   NtClose  (108, ... ) == 0x0
 02621   748   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 02622   748   NtClose  (88, ... ) == 0x0
 02623   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02624   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 02625   748   NtUserBuildNameList  (28, 522, 1414064, 1244228, ... ) == 0x0
 02626   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 02627   748   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x58
 02628   748   NtUserBuildHwndList  (88, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0xa0102, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x90114, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 54, ) == 0x0
 02629   748   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02630   748   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 02631   748   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 02632   748   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02633   748   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02634   748   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 02635   748   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 02636   748   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02637   748   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 02638   748   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 02639   748   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 02640   748   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 02641   748   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 02642   748   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 02643   748   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 02644   748   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 02645   748   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 02646   748   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 02647   748   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 02648   748   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 02649   748   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 02650   748   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 02651   748   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 02652   748   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 02653   748   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 02654   748   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 02655   748   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 02656   748   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 02657   748   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 02658   748   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 02659   748   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 02660   748   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 02661   748   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 02662   748   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 02663   748   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 02664   748   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 02665   748   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 02666   748   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 02667   748   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 02668   748   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 02669   748   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 02670   748   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 02671   748   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 02672   748   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 02673   748   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 02674   748   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02675   748   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 02676   748   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 02677   748   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02678   748   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02679   748   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 02680   748   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 02681   748   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02682   748   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02683   748   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 02684   748   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 02685   748   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02686   748   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02687   748   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 02688   748   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 02689   748   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02690   748   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02691   748   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 02692   748   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 02693   748   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02694   748   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02695   748   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 02696   748   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 02697   748   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02698   748   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02699   748   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 02700   748   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 02701   748   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02702   748   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 02703   748   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 02704   748   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 02705   748   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 02706   748   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 02707   748   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 02708   748   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 02709   748   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 02710   748   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 02711   748   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 02712   748   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 02713   748   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 02714   748   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 02715   748   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 02716   748   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 02717   748   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 02718   748   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 02719   748   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 02720   748   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 02721   748   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 02722   748   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 02723   748   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 02724   748   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 02725   748   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 02726   748   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 02727   748   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 02728   748   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 02729   748   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 02730   748   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 02731   748   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 02732   748   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 02733   748   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02734   748   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 02735   748   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 02736   748   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02737   748   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02738   748   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 02739   748   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 02740   748   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02741   748   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02742   748   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 02743   748   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 02744   748   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02745   748   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02746   748   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 02747   748   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 02748   748   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02749   748   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02750   748   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 02751   748   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 02752   748   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02753   748   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02754   748   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 02755   748   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 02756   748   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02757   748   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02758   748   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 02759   748   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 02760   748   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02761   748   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 02762   748   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02763   748   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 02764   748   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 02765   748   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02766   748   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02767   748   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 02768   748   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 02769   748   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02770   748   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02771   748   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 02772   748   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 02773   748   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02774   748   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02775   748   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 02776   748   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 02777   748   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02778   748   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02779   748   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 02780   748   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 02781   748   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02782   748   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02783   748   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 02784   748   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 02785   748   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02786   748   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 02787   748   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 02788   748   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 02789   748   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 02790   748   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 02791   748   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 02792   748   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 02793   748   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 02794   748   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 02795   748   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 02796   748   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 02797   748   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 02798   748   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 02799   748   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02800   748   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 02801   748   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 02802   748   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02803   748   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02804   748   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 02805   748   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 02806   748   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02807   748   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02808   748   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 02809   748   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 02810   748   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02811   748   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02812   748   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 02813   748   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 02814   748   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02815   748   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02816   748   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 02817   748   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 02818   748   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02819   748   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02820   748   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 02821   748   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 02822   748   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02823   748   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02824   748   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 02825   748   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 02826   748   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02827   748   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02828   748   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 02829   748   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 02830   748   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02831   748   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02832   748   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 02833   748   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 02834   748   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02835   748   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02836   748   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 02837   748   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 02838   748   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02839   748   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02840   748   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 02841   748   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 02842   748   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02843   748   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02844   748   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 02845   748   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 02846   748   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02847   748   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02848   748   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 02849   748   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 02850   748   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02851   748   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02852   748   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 02853   748   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 02854   748   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02855   748   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02856   748   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02857   748   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02858   748   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02859   748   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 02860   748   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 02861   748   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 02862   748   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 02863   748   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 02864   748   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 02865   748   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 02866   748   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02867   748   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 02868   748   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 02869   748   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02870   748   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02871   748   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 02872   748   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 02873   748   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02874   748   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02875   748   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 02876   748   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 02877   748   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02878   748   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02879   748   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 02880   748   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 02881   748   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02882   748   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02883   748   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 02884   748   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 02885   748   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02886   748   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02887   748   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 02888   748   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 02889   748   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02890   748   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02891   748   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02892   748   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02893   748   NtUserRemoveProp  (590100, 43288, ... ) == 0xffffffff
 02894   748   NtUserRemoveProp  (590100, 43282, ... ) == 0x0
 02895   748   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02896   748   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02897   748   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02898   748   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 02899   748   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 02900   748   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02901   748   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02902   748   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 02903   748   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 02904   748   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02905   748   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02906   748   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 02907   748   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 02908   748   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02909   748   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02910   748   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 02911   748   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 02912   748   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02913   748   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02914   748   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 02915   748   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 02916   748   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02917   748   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02918   748   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 02919   748   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 02920   748   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02921   748   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02922   748   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 02923   748   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 02924   748   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02925   748   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02926   748   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 02927   748   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 02928   748   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02929   748   NtUserCloseDesktop  (88, ... ) == 0x1
 02930   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 02931   748   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02932   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 02933   748   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02934   748   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 02935   748   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 02936   748   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 02937   748   NtClose  (60, ... ) == 0x0
 02938   748   NtClose  (52, ... ) == 0x0
 02939   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02940   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02941   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02942   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 52, ) }, ... 52, ) == 0x0
 02943   748   NtQueryValueKey  (52,  (52, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944   748   NtClose  (52, ... ) == 0x0
 02945   748   NtClose  (44, ... ) == 0x0
 02946   748   NtFreeVirtualMemory  (-1, (0xc00000), 4096, 32768, ... (0xc00000), 4096, ) == 0x0
 02947   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02948   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02949   748   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02950   748   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2011664592, 1178048, 1178452, 1178016}  (24, {20, 48, new_msg, 0, 2011664592, 1178048, 1178452, 1178016} "\0\0\0\0\3\0\1\0X\35\336w\234\375\21\0\220\0\0\300" ... {20, 48, reply, 0, 484, 748, 58113, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\234\375\21\0\220\0\0\300" )  ... {20, 48, reply, 0, 484, 748, 58113, 0}  (24, {20, 48, new_msg, 0, 2011664592, 1178048, 1178452, 1178016} "\0\0\0\0\3\0\1\0X\35\336w\234\375\21\0\220\0\0\300" ... {20, 48, reply, 0, 484, 748, 58113, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\234\375\21\0\220\0\0\300" )  ) == 0x0
 02951   748   NtTerminateProcess  (-1, -1073741680, ...
NtCallbackReturn(>)	1	NtUserGetImeInfoEx(>)	1	NtQueryVolumeInformationFile(>)	4	NtDeviceIoControlFile(>)	16
NtCreateProcessEx(>)	1	NtUserOpenWindowStation(>)	1	NtUserGetObjectInformation(>)	4	NtCreateEvent(>)	17
NtCreateSemaphore(>)	1	NtUserSetCursor(>)	1	NtUserMessageCall(>)	4	NtRequestWaitReplyPort(>)	18
NtCreateThread(>)	1	NtUserSetProp(>)	1	NtUserRemoveProp(>)	4	NtWaitForSingleObject(>)	18
NtGdiCreateBitmap(>)	1	NtUserSetWindowLong(>)	1	NtDuplicateObject(>)	5	NtUserCallOneParam(>)	20
NtGdiCreatePatternBrushInternal(>)	1	NtUserUpdateInputContext(>)	1	NtGdiGetStockObject(>)	5	NtQuerySection(>)	21
NtGdiGetTextCharsetInfo(>)	1	NtAccessCheck(>)	2	NtSetInformationFile(>)	5	NtQueryDirectoryFile(>)	24
NtGdiGetTextFaceW(>)	1	NtConnectPort(>)	2	NtUserBuildHwndList(>)	5	NtCreateFile(>)	26
NtGdiGetTextMetricsW(>)	1	NtCreateIoCompletion(>)	2	NtWriteVirtualMemory(>)	5	NtOpenSection(>)	27
NtGdiGetWidthTable(>)	1	NtDuplicateToken(>)	2	NtUserGetProcessWindowStation(>)	6	NtQueryDebugFilterState(>)	29
NtGdiInit(>)	1	NtGdiCreateSolidBrush(>)	2	NtFsControlFile(>)	7	NtOpenProcessTokenEx(>)	36
NtGdiQueryFontAssocInfo(>)	1	NtNotifyChangeKey(>)	2	NtQueryInformationFile(>)	7	NtOpenThreadTokenEx(>)	36
NtGdiSelectBitmap(>)	1	NtQueryInformationJobObject(>)	2	NtUserGetDC(>)	7	NtQueryVirtualMemory(>)	39
NtLockVirtualMemory(>)	1	NtQueryPerformanceCounter(>)	2	NtWaitForMultipleObjects(>)	7	NtQueryInformationToken(>)	47
NtOpenEvent(>)	1	NtReadFile(>)	2	NtEnumerateKey(>)	8	NtSetInformationProcess(>)	49
NtOpenKeyedEvent(>)	1	NtTerminateProcess(>)	2	NtOpenProcessToken(>)	8	NtQueryDefaultLocale(>)	60
NtOpenMutant(>)	1	NtUserCloseWindowStation(>)	2	NtOpenThreadToken(>)	8	NtQueryInformationProcess(>)	64
NtQueryInstallUILanguage(>)	1	NtUserPostThreadMessage(>)	2	NtQueryDefaultUILanguage(>)	8	NtUnmapViewOfSection(>)	64
NtQueryObject(>)	1	NtUserSetWindowFNID(>)	2	NtSetValueKey(>)	8	NtCreateSection(>)	69
NtQuerySystemTime(>)	1	NtUserSetWindowsHookEx(>)	2	NtUserSystemParametersInfo(>)	8	NtOpenFile(>)	69
NtRegisterThreadTerminatePort(>)	1	NtUserUnhookWindowsHookEx(>)	2	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	77
NtResumeThread(>)	1	NtGdiHfontCreate(>)	3	NtCreateMutant(>)	10	NtQuerySystemInformation(>)	78
NtSecureConnectPort(>)	1	NtOpenDirectoryObject(>)	3	NtCreateKey(>)	11	NtMapViewOfSection(>)	88
NtTestAlert(>)	1	NtOpenSymbolicLinkObject(>)	3	NtFreeVirtualMemory(>)	11	NtQueryAttributesFile(>)	99
NtUserBuildNameList(>)	1	NtQuerySymbolicLinkObject(>)	3	NtUserFindExistingCursorIcon(>)	11	NtFlushInstructionCache(>)	121
NtUserCallHwndParam(>)	1	NtReadVirtualMemory(>)	3	NtWriteFile(>)	11	NtUserValidateHandleSecure(>)	139
NtUserCloseDesktop(>)	1	NtSetEvent(>)	3	NtReleaseMutant(>)	12	NtUserQueryWindow(>)	160
NtUserCreateWindowEx(>)	1	NtSetInformationObject(>)	3	NtUserGetWindowDC(>)	12	NtOpenKey(>)	222
NtUserGetAtomName(>)	1	NtUserGetThreadDesktop(>)	3	NtUserRegisterWindowMessage(>)	13	NtProtectVirtualMemory(>)	243
NtUserGetClassName(>)	1	NtUserOpenDesktop(>)	3	NtContinue(>)	15	NtQueryValueKey(>)	243
NtUserGetForegroundWindow(>)	1	NtGdiCreateCompatibleDC(>)	4	NtSetInformationThread(>)	15	NtClose(>)	383
NtUserGetGUIThreadInfo(>)	1	NtGdiDeleteObjectApp(>)	4	NtUserRegisterClassExWOW(>)	15