Summary:


NtAddAtom(>)  1 
NtDelayExecution(>)  2 
NtUserOpenDesktop(>)  3 
NtRequestWaitReplyPort(>)  16 

NtConnectPort(>)  1 
NtDuplicateObject(>)  2 
NtWaitForMultipleObjects(>)  3 
NtUnmapViewOfSection(>)  16 

NtCreateKey(>)  1 
NtEnumerateKey(>)  2 
NtWriteFile(>)  3 
NtQueryDefaultLocale(>)  17 

NtCreateProcessEx(>)  1 
NtGdiCreatePatternBrushInternal(>)  2 
NtGdiDeleteObjectApp(>)  4 
NtProtectVirtualMemory(>)  19 

NtDuplicateToken(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtReleaseMutant(>)  4 
NtUserGetWindowDC(>)  19 

NtEnumerateValueKey(>)  1 
NtGdiHfontCreate(>)  2 
NtUserBuildHwndList(>)  4 
NtCreateEvent(>)  21 

NtFsControlFile(>)  1 
NtNotifyChangeKey(>)  2 
NtUserGetObjectInformation(>)  4 
NtQuerySystemInformation(>)  23 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserRegisterWindowMessage(>)  4 
NtUserCallOneParam(>)  23 

NtGdiInit(>)  1 
NtOpenEvent(>)  2 
NtUserRemoveProp(>)  4 
NtOpenProcessTokenEx(>)  27 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtWriteVirtualMemory(>)  4 
NtOpenThreadTokenEx(>)  27 

NtGdiSelectBitmap(>)  1 
NtOpenThreadToken(>)  2 
NtGdiGetStockObject(>)  5 
NtQuerySection(>)  29 

NtOpenKeyedEvent(>)  1 
NtQueryInstallUILanguage(>)  2 
NtOpenProcessToken(>)  5 
NtFreeVirtualMemory(>)  30 

NtOpenProcess(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtCreateSemaphore(>)  6 
NtQueryInformationToken(>)  33 

NtQueryInformationJobObject(>)  1 
NtReadVirtualMemory(>)  2 
NtDeviceIoControlFile(>)  6 
NtCreateSection(>)  39 

NtQueryInformationThread(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenSection(>)  46 

NtQueryObject(>)  1 
NtResumeThread(>)  2 
NtSetInformationProcess(>)  6 
NtUserUnregisterClass(>)  46 

NtQueryPerformanceCounter(>)  1 
NtTestAlert(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtUserFindExistingCursorIcon(>)  48 

NtQueryTimerResolution(>)  1 
NtUserCloseDesktop(>)  2 
NtWaitForSingleObject(>)  6 
NtQueryVirtualMemory(>)  52 

NtSecureConnectPort(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserCallNoParam(>)  7 
NtOpenFile(>)  54 

NtUserBuildNameList(>)  1 
NtUserGetClassName(>)  2 
NtFlushInstructionCache(>)  8 
NtMapViewOfSection(>)  59 

NtUserGetAncestor(>)  1 
NtUserGetGUIThreadInfo(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUserRegisterClassExWOW(>)  64 

NtUserGetDC(>)  1 
NtUserGetThreadDesktop(>)  2 
NtQueryDirectoryFile(>)  10 
NtUserGetClassInfo(>)  82 

NtUserGetThreadState(>)  1 
NtUserMessageCall(>)  2 
NtUserSystemParametersInfo(>)  11 
NtQueryAttributesFile(>)  95 

NtUserSetProp(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationProcess(>)  12 
NtAllocateVirtualMemory(>)  103 

NtUserSetWindowPos(>)  1 
NtOpenMutant(>)  3 
NtCreateMutant(>)  14 
NtUserQueryWindow(>)  112 

NtAccessCheck(>)  2 
NtSetEvent(>)  3 
NtQueryInformationFile(>)  14 
NtOpenKey(>)  148 

NtCallbackReturn(>)  2 
NtSetInformationFile(>)  3 
NtCreateFile(>)  15 
NtQueryValueKey(>)  231 

NtContinue(>)  2 
NtSetInformationObject(>)  3 
NtSetInformationThread(>)  15 
NtUserGetAsyncKeyState(>)  246 

NtCreateThread(>)  2 
NtTerminateProcess(>)  3 
NtQueryDebugFilterState(>)  16 
NtClose(>)  272 


Trace:
 00001   432   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   432   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   432   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   432   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   432   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   432   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   432   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   432   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   432   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   432   NtClose  (12, ... ) == 0x0
 00014   432   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   432   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   432   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   432   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   432   NtClose  (16, ... ) == 0x0
 00021   432   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   432   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   432   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   432   NtClose  (16, ... ) == 0x0
 00026   432   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   432   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   432   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   432   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   432   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 428, 432, 1476, 0} "\360L\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 428, 432, 1476, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 428, 432, 1476, 0} "\360L\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   432   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   432   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   432   NtClose  (16, ... ) == 0x0
 00036   432   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   432   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   432   NtClose  (28, ... ) == 0x0
 00041   432   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   432   NtClose  (28, ... ) == 0x0
 00045   432   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   432   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   432   NtClose  (28, ... ) == 0x0
 00049   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   432   NtClose  (28, ... ) == 0x0
 00052   432   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   432   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 428, 432, 1480, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 428, 432, 1480, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 428, 432, 1480, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   432   NtProtectVirtualMemory  (-1, (0x429000), 772, 4, ... (0x429000), 4096, 128, ) == 0x0
 00057   432   NtProtectVirtualMemory  (-1, (0x429000), 4096, 128, ... (0x429000), 4096, 8, ) == 0x0
 00058   432   NtFlushInstructionCache  (-1, 4362240, 772, ... ) == 0x0
 00059   432   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   432   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   432   NtClose  (28, ... ) == 0x0
 00062   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   432   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   432   NtClose  (28, ... ) == 0x0
 00065   432   NtTestAlert  (... ) == 0x0
 00066   432   NtContinue  (1244464, 1, ...
 00067   432   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x43a000,}, 4, ... ) == 0x0
 00068   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   432   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   432   NtClose  (28, ... ) == 0x0
 00071   432   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHFOLDER.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00073   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SHFOLDER.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00074   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SHFOLDER.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SHFOLDER.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00076   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SHFOLDER.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00077   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00078   432   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00079   432   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00080   432   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   432   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00083   432   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   432   NtClose  (40, ... ) == 0x0
 00085   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00086   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00087   432   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088   432   NtClose  (40, ... ) == 0x0
 00089   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   432   NtClose  (36, ... ) == 0x0
 00091   432   NtClose  (28, ... ) == 0x0
 00092   432   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 00093   432   NtClose  (32, ... ) == 0x0
 00094   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00095   432   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00096   432   NtClose  (32, ... ) == 0x0
 00097   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00098   432   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00099   432   NtClose  (32, ... ) == 0x0
 00100   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00101   432   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00102   432   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00103   432   NtClose  (32, ... ) == 0x0
 00104   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00105   432   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   432   NtClose  (32, ... ) == 0x0
 00107   432   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00108   432   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00109   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00114   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00115   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00116   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00117   432   NtClose  (28, ... ) == 0x0
 00118   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00119   432   NtClose  (36, ... ) == 0x0
 00120   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00121   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00122   432   NtClose  (36, ... ) == 0x0
 00123   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240212, ... ) }, 1240212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240212, ... ) }, 1240212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240212, ... ) }, 1240212, ... ) == 0x0
 00127   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00128   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00129   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00130   432   NtClose  (36, ... ) == 0x0
 00131   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00132   432   NtClose  (28, ... ) == 0x0
 00133   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00134   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00135   432   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00136   432   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00137   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00138   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00139   432   NtClose  (28, ... ) == 0x0
 00140   432   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00141   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00142   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00143   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00147   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00148   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00149   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00150   432   NtClose  (28, ... ) == 0x0
 00151   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 00152   432   NtClose  (36, ... ) == 0x0
 00153   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1240212, ... ) }, 1240212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1240212, ... ) }, 1240212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1240212, ... ) }, 1240212, ... ) == 0x0
 00157   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00158   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00159   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00160   432   NtClose  (36, ... ) == 0x0
 00161   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 00162   432   NtClose  (28, ... ) == 0x0
 00163   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1239408, ... ) }, 1239408, ... ) == 0x0
 00167   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00168   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00169   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00170   432   NtClose  (28, ... ) == 0x0
 00171   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 00172   432   NtClose  (36, ... ) == 0x0
 00173   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00177   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00178   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00179   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00180   432   NtClose  (36, ... ) == 0x0
 00181   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 00182   432   NtClose  (28, ... ) == 0x0
 00183   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   432   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00185   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1237800, ... ) }, 1237800, ... ) == 0x0
 00188   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00189   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00190   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00191   432   NtClose  (28, ... ) == 0x0
 00192   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 00193   432   NtClose  (36, ... ) == 0x0
 00194   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1236996, ... ) }, 1236996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1236996, ... ) }, 1236996, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1236996, ... ) }, 1236996, ... ) == 0x0
 00198   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00199   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00200   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00201   432   NtClose  (36, ... ) == 0x0
 00202   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00203   432   NtClose  (28, ... ) == 0x0
 00204   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00205   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 00206   432   NtClose  (28, ... ) == 0x0
 00207   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00208   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00209   432   NtClose  (28, ... ) == 0x0
 00210   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00211   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00212   432   NtClose  (28, ... ) == 0x0
 00213   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1237800, ... ) }, 1237800, ... ) == 0x0
 00217   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00218   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00219   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00220   432   NtClose  (28, ... ) == 0x0
 00221   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00222   432   NtClose  (36, ... ) == 0x0
 00223   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00224   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00225   432   NtClose  (36, ... ) == 0x0
 00226   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00227   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00228   432   NtClose  (36, ... ) == 0x0
 00229   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00233   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00234   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00235   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00236   432   NtClose  (36, ... ) == 0x0
 00237   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 00238   432   NtClose  (28, ... ) == 0x0
 00239   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00243   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00244   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00245   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00246   432   NtClose  (28, ... ) == 0x0
 00247   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 00248   432   NtClose  (36, ... ) == 0x0
 00249   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00253   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00254   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00255   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00256   432   NtClose  (36, ... ) == 0x0
 00257   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 00258   432   NtClose  (28, ... ) == 0x0
 00259   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1239408, ... ) }, 1239408, ... ) == 0x0
 00263   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00264   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00265   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   432   NtClose  (28, ... ) == 0x0
 00267   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 00268   432   NtClose  (36, ... ) == 0x0
 00269   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00273   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00274   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00275   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00276   432   NtClose  (36, ... ) == 0x0
 00277   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 00278   432   NtClose  (28, ... ) == 0x0
 00279   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00283   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00284   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00285   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00286   432   NtClose  (28, ... ) == 0x0
 00287   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 00288   432   NtClose  (36, ... ) == 0x0
 00289   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00290   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00291   432   NtClose  (36, ... ) == 0x0
 00292   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1237800, ... ) }, 1237800, ... ) == 0x0
 00296   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00297   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00298   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00299   432   NtClose  (36, ... ) == 0x0
 00300   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00301   432   NtClose  (28, ... ) == 0x0
 00302   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00303   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00304   432   NtClose  (28, ... ) == 0x0
 00305   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239408, ... ) }, 1239408, ... ) == 0x0
 00309   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00310   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00311   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00312   432   NtClose  (28, ... ) == 0x0
 00313   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00314   432   NtClose  (36, ... ) == 0x0
 00315   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1239408, ... ) }, 1239408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1239408, ... ) }, 1239408, ... ) == 0x0
 00319   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00320   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00321   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00322   432   NtClose  (36, ... ) == 0x0
 00323   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 00324   432   NtClose  (28, ... ) == 0x0
 00325   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00329   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00330   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00331   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00332   432   NtClose  (28, ... ) == 0x0
 00333   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 00334   432   NtClose  (36, ... ) == 0x0
 00335   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00339   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00340   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00341   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00342   432   NtClose  (36, ... ) == 0x0
 00343   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 00344   432   NtClose  (28, ... ) == 0x0
 00345   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00347   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1237800, ... ) }, 1237800, ... ) == 0x0
 00349   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00350   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00351   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00352   432   NtClose  (28, ... ) == 0x0
 00353   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 00354   432   NtClose  (36, ... ) == 0x0
 00355   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00356   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00357   432   NtClose  (36, ... ) == 0x0
 00358   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00359   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00360   432   NtClose  (36, ... ) == 0x0
 00361   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1238604, ... ) }, 1238604, ... ) == 0x0
 00365   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00366   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 28, ) == 0x0
 00367   432   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00368   432   NtClose  (36, ... ) == 0x0
 00369   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00370   432   NtClose  (28, ... ) == 0x0
 00371   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1237800, ... ) }, 1237800, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1237800, ... ) }, 1237800, ... ) == 0x0
 00375   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00376   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00377   432   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00378   432   NtClose  (28, ... ) == 0x0
 00379   432   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 00380   432   NtClose  (36, ... ) == 0x0
 00381   432   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00382   432   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00383   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 28, ) }, ... 28, ) == 0x0
 00384   432   NtQueryValueKey  (28,  (28, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (28, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00385   432   NtClose  (28, ... ) == 0x0
 00386   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00387   432   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 1327480, 1311096}  (24, {28, 56, new_msg, 0, 1246456, 1, 1327480, 1311096} "\210\6\31\1\0\0\0\0\0\0\0\0>x;6\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 428, 432, 1511, 0} "XQ\26\0\0\0\0\0\0\0\0\0>x;6\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 428, 432, 1511, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 1327480, 1311096} "\210\6\31\1\0\0\0\0\0\0\0\0>x;6\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 428, 432, 1511, 0} "XQ\26\0\0\0\0\0\0\0\0\0>x;6\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00388   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x540000), 0x0, 1060864, ) == 0x0
 00390   432   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00391   432   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00392   432   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00393   432   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00394   432   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00395   432   NtClose  (-2147482020, ... ) == 0x0
 00396   432   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00397   432   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00398   432   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00399   432   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00400   432   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   432   NtClose  (-2147482020, ... ) == 0x0
 00402   432   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00403   432   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   432   NtClose  (-2147482020, ... ) == 0x0
 00405   432   NtQueryDefaultLocale  (0, -136377844, ... ) == 0x0
 00406   432   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00407   432   NtUserCallNoParam  (24, ... ) == 0x0
 00408   432   NtGdiCreateCompatibleDC  (0, ...
 00409   432   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00408   432   NtGdiCreateCompatibleDC  ... ) == 0xb010403
 00410   432   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00411   432   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00412   432   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xc050405
 00413   432   NtGdiCreateSolidBrush  (0, 0, ...
 00414   432   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00413   432   NtGdiCreateSolidBrush  ... ) == 0xb100408
 00415   432   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00416   432   NtGdiCreateCompatibleDC  (0, ... ) == 0xf0103fd
 00417   432   NtGdiSelectBitmap  (251724797, 201655301, ... ) == 0x185000f
 00418   432   NtUserGetThreadDesktop  (432, 0, ... ) == 0x30
 00419   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00420   432   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00421   432   NtClose  (56, ... ) == 0x0
 00422   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00423   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 673, 128, 0, ... ) == 0x810dc017
 00424   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00425   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 674, 128, 0, ... ) == 0x810dc01c
 00426   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00427   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 675, 128, 0, ... ) == 0x810dc01e
 00428   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00429   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 676, 128, 0, ... ) == 0x810d8002
 00430   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10013
 00431   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 677, 128, 0, ... ) == 0x810dc018
 00432   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00433   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 678, 128, 0, ... ) == 0x810dc01a
 00434   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00435   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 679, 128, 0, ... ) == 0x810dc01d
 00436   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00437   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 681, 128, 0, ... ) == 0x810dc026
 00438   432   NtUserFindExistingCursorIcon  (1238820, 1238836, 1239404, ... ) == 0x10011
 00439   432   NtUserRegisterClassExWOW  (1239340, 1239420, 1239404, 1239436, 680, 128, 0, ... ) == 0x810dc019
 00440   432   NtUserRegisterClassExWOW  (1239292, 1239372, 1239356, 1239388, 0, 128, 0, ...
 00441   432   NtAllocateVirtualMemory  (-1, 6713344, 0, 4096, 4096, 32, ... 6713344, 4096, ) == 0x0
 00440   432   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00442   432   NtUserRegisterClassExWOW  (1239292, 1239368, 1239384, 1239356, 0, 130, 0, ... ) == 0x810dc022
 00443   432   NtUserRegisterClassExWOW  (1239292, 1239372, 1239356, 1239388, 0, 128, 0, ... ) == 0x810dc023
 00444   432   NtUserRegisterClassExWOW  (1239292, 1239368, 1239384, 1239356, 0, 130, 0, ... ) == 0x810dc024
 00445   432   NtUserRegisterClassExWOW  (1239292, 1239372, 1239356, 1239388, 0, 128, 0, ... ) == 0x810dc025
 00446   432   NtCallbackReturn  (0, 0, 0, ...
 00447   432   NtGdiInit  (... ) == 0x1
 00448   432   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00449   432   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00450   432   NtQueryDefaultUILanguage  (2013024600, ...
 00451   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00452   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00453   432   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00454   432   NtClose  (-2147482020, ... ) == 0x0
 00455   432   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00456   432   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457   432   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00458   432   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00459   432   NtClose  (-2147482032, ... ) == 0x0
 00460   432   NtClose  (-2147482020, ... ) == 0x0
 00450   432   NtQueryDefaultUILanguage  ... ) == 0x0
 00461   432   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00462   432   NtQueryDefaultLocale  (1, 1240888, ... ) == 0x0
 00463   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00464   432   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3538944, 262144, ) == 0x0
 00465   432   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00466   432   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ... 3543040, 8192, ) == 0x0
 00467   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00468   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00469   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00470   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00471   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00472   432   NtQueryValueKey  (56,  (56, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00473   432   NtClose  (56, ... ) == 0x0
 00474   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00475   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00476   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00477   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00478   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 56, ) }, ... 56, ) == 0x0
 00479   432   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   432   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   432   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   432   NtClose  (56, ... ) == 0x0
 00483   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 56, ) }, ... 56, ) == 0x0
 00484   432   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00485   432   NtQueryValueKey  (56,  (56, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00486   432   NtClose  (56, ... ) == 0x0
 00487   432   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00488   432   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489   432   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00490   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   432   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   432   NtQueryDefaultLocale  (1, 1240848, ... ) == 0x0
 00494   432   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00495   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 60, ) }, ... 60, ) == 0x0
 00496   432   NtQueryValueKey  (60,  (60, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497   432   NtClose  (60, ... ) == 0x0
 00498   432   NtUserGetProcessWindowStation  (... ) == 0x2c
 00499   432   NtUserGetObjectInformation  (44, 1, 1240520, 12, 1240532, ... ) == 0x1
 00500   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 60, ) }, ... 60, ) == 0x0
 00501   432   NtQueryValueKey  (60,  (60, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 00502   432   NtClose  (60, ... ) == 0x0
 00503   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 60, ) }, ... 60, ) == 0x0
 00504   432   NtQueryValueKey  (60,  (60, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   432   NtQueryValueKey  (60,  (60, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00506   432   NtClose  (60, ... ) == 0x0
 00507   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 60, ) }, ... 60, ) == 0x0
 00508   432   NtQueryValueKey  (60,  (60, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00509   432   NtQueryValueKey  (60,  (60, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00510   432   NtClose  (60, ... ) == 0x0
 00511   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 60, ) }, ... 60, ) == 0x0
 00512   432   NtQueryValueKey  (60,  (60, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00513   432   NtQueryValueKey  (60,  (60, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00514   432   NtClose  (60, ... ) == 0x0
 00515   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 60, ) }, ... 60, ) == 0x0
 00516   432   NtQueryValueKey  (60,  (60, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00517   432   NtQueryValueKey  (60,  (60, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (60, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00518   432   NtClose  (60, ... ) == 0x0
 00519   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 60, ) }, ... 60, ) == 0x0
 00520   432   NtQueryValueKey  (60,  (60, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (60, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00521   432   NtQueryValueKey  (60,  (60, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (60, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00522   432   NtClose  (60, ... ) == 0x0
 00523   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 60, ) }, ... 60, ) == 0x0
 00524   432   NtQueryValueKey  (60,  (60, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (60, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 00525   432   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00526   432   NtClose  (60, ... ) == 0x0
 00527   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00528   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 64, ) == 0x0
 00529   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00530   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 72, ) == 0x0
 00531   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00532   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00533   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 84, ) }, ... 84, ) == 0x0
 00534   432   NtQueryValueKey  (84,  (84, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   432   NtQueryValueKey  (84,  (84, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536   432   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00537   432   NtClose  (84, ... ) == 0x0
 00538   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1240440, ... ) }, 1240440, ... ) == 0x0
 00539   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 84, ) }, ... 84, ) == 0x0
 00540   432   NtQueryValueKey  (84,  (84, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (84, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (84, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00541   432   NtClose  (84, ... ) == 0x0
 00542   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 84, ) }, ... 84, ) == 0x0
 00543   432   NtQueryValueKey  (84,  (84, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (84, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (84, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 00544   432   NtClose  (84, ... ) == 0x0
 00545   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 84, ) }, ... 84, ) == 0x0
 00547   432   NtQueryValueKey  (84,  (84, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (84, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (84, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00548   432   NtClose  (84, ... ) == 0x0
 00549   432   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00551   432   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00552   432   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00553   432   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 96, ) }, ... 96, ) == 0x0
 00554   432   NtQueryValueKey  (96,  (96, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   432   NtQueryValueKey  (96,  (96, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   432   NtQueryValueKey  (96,  (96, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   432   NtQueryValueKey  (96,  (96, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   432   NtQueryValueKey  (96,  (96, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   432   NtQueryValueKey  (96,  (96, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00560   432   NtQueryValueKey  (96,  (96, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   432   NtQueryValueKey  (96,  (96, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   432   NtQueryValueKey  (96,  (96, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   432   NtQueryValueKey  (96,  (96, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   432   NtQueryValueKey  (96,  (96, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565   432   NtQueryValueKey  (96,  (96, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   432   NtQueryValueKey  (96,  (96, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00567   432   NtQueryValueKey  (96,  (96, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568   432   NtQueryValueKey  (96,  (96, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   432   NtQueryValueKey  (96,  (96, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   432   NtQueryValueKey  (96,  (96, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   432   NtQueryValueKey  (96,  (96, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   432   NtQueryValueKey  (96,  (96, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   432   NtQueryValueKey  (96,  (96, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   432   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00575   432   NtQueryValueKey  (96,  (96, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   432   NtQueryValueKey  (96,  (96, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00577   432   NtQueryValueKey  (96,  (96, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   432   NtQueryValueKey  (96,  (96, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   432   NtQueryValueKey  (96,  (96, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   432   NtQueryValueKey  (96,  (96, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   432   NtQueryValueKey  (96,  (96, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   432   NtQueryValueKey  (96,  (96, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   432   NtQueryValueKey  (96,  (96, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   432   NtQueryValueKey  (96,  (96, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   432   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00586   432   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 100, ) }, ... 100, ) == 0x0
 00587   432   NtQueryValueKey  (100,  (100, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00588   432   NtClose  (100, ... ) == 0x0
 00589   432   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00590   432   NtQueryValueKey  (96,  (96, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   432   NtQueryValueKey  (96,  (96, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   432   NtQueryValueKey  (96,  (96, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   432   NtQueryValueKey  (96,  (96, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   432   NtQueryValueKey  (96,  (96, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   432   NtQueryValueKey  (96,  (96, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596   432   NtQueryValueKey  (96,  (96, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   432   NtQueryValueKey  (96,  (96, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00598   432   NtQueryValueKey  (96,  (96, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00599   432   NtQueryValueKey  (96,  (96, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   432   NtQueryDefaultUILanguage  (1239408, ...
 00601   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00602   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00603   432   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00604   432   NtClose  (-2147482020, ... ) == 0x0
 00605   432   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00606   432   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   432   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00608   432   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   432   NtClose  (-2147482032, ... ) == 0x0
 00610   432   NtClose  (-2147482020, ... ) == 0x0
 00600   432   NtQueryDefaultUILanguage  ... ) == 0x0
 00611   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00612   432   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00613   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 100, {status=0x0, info=1}, ) }, 1, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00614   432   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 104, ) == 0x0
 00615   432   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3a0000), 0x0, 163840, ) == 0x0
 00616   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   432   NtQueryDefaultLocale  (1, 1237444, ... ) == 0x0
 00618   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   432   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238300, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238300, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\360Z<\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\34\354\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 432, 1512, 0} " S\26\0\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\360Z<\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\34\354\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 428, 432, 1512, 0}  (24, {128, 156, new_msg, 0, 1238300, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\360Z<\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\34\354\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 432, 1512, 0} " S\26\0\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1d\0\0\0\377\377\377\377\0\0\0\0\360Z<\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\34\354\22\0\0\0\0\0" )  ) == 0x0
 00620   432   NtClose  (100, ... ) == 0x0
 00621   432   NtClose  (104, ... ) == 0x0
 00622   432   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00623   432   NtUnmapViewOfSection  (-1, 0x12ec1c, ... ) == STATUS_NOT_MAPPED_VIEW
 00624   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00625   432   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00627   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00628   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236528, ... ) }, 1236528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00630   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00631   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00632   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237120, ... ) }, 1237120, ... ) == 0x0
 00633   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 104, {status=0x0, info=1}, ) }, 3, 33, ... 104, {status=0x0, info=1}, ) == 0x0
 00634   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00635   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00636   432   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00637   432   NtClose  (100, ... ) == 0x0
 00638   432   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x950000), 0x0, 921600, ) == 0x0
 00639   432   NtClose  (108, ... ) == 0x0
 00640   432   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00641   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00642   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 100, ) == 0x0
 00643   432   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00644   432   NtClose  (108, ... ) == 0x0
 00645   432   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00646   432   NtClose  (100, ... ) == 0x0
 00647   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00648   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00649   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00650   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00651   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00652   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00653   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00654   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00655   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00656   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00657   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00658   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00659   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00660   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00661   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00662   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00663   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00664   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00665   432   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00666   432   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00667   432   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00668   432   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238304, ... ) , 42, 1238304, ... ) == 0x0
 00669   432   NtQueryDefaultUILanguage  (1237020, ...
 00670   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00671   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00672   432   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00673   432   NtClose  (-2147482020, ... ) == 0x0
 00674   432   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00675   432   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   432   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00677   432   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   432   NtClose  (-2147482032, ... ) == 0x0
 00679   432   NtClose  (-2147482020, ... ) == 0x0
 00669   432   NtQueryDefaultUILanguage  ... ) == 0x0
 00680   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235872, ... ) }, 1235872, ... ) == 0x0
 00682   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00683   432   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00684   432   NtClose  (100, ... ) == 0x0
 00685   432   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 4096, ) == 0x0
 00686   432   NtClose  (108, ... ) == 0x0
 00687   432   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00688   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235512, ... ) }, 1235512, ... ) == 0x0
 00689   432   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236212,  (0x80100080, {24, 0, 0x40, 0, 1236212, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00690   432   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 108, ... 100, ) == 0x0
 00691   432   NtClose  (108, ... ) == 0x0
 00692   432   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3a0000), {0, 0}, 4096, ) == 0x0
 00693   432   NtClose  (100, ... ) == 0x0
 00694   432   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00695   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 100, {status=0x0, info=1}, ) }, 1, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00696   432   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 108, ) == 0x0
 00697   432   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3a0000), 0x0, 4096, ) == 0x0
 00698   432   NtQueryInformationFile  (100, 1235832, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00699   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700   432   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235912, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235912, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1d\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\310\342\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 432, 1513, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1d\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\310\342\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 428, 432, 1513, 0}  (24, {128, 156, new_msg, 0, 1235912, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1d\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\310\342\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 432, 1513, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1d\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\310\342\22\0\0\0\0\0" )  ) == 0x0
 00701   432   NtClose  (100, ... ) == 0x0
 00702   432   NtClose  (108, ... ) == 0x0
 00703   432   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00704   432   NtUnmapViewOfSection  (-1, 0x12e2c8, ... ) == STATUS_NOT_MAPPED_VIEW
 00705   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00706   432   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00707   432   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00708   432   NtUserGetDC  (0, ... ) == 0x1010052
 00709   432   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00710   432   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00711   432   NtUserSystemParametersInfo  (66, 12, 1238324, 0, ... ) == 0x1
 00712   432   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 00713   432   NtAccessCheck  (1334880, 108, 0x1, 1237728, 1237672, 56, 1237756, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00714   432   NtClose  (108, ... ) == 0x0
 00715   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00716   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00717   432   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00718   432   NtClose  (108, ... ) == 0x0
 00719   432   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00720   432   NtSetInformationObject  (108, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00721   432   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Control Panel\Desktop"}, ... 100, ) }, ... 100, ) == 0x0
 00722   432   NtQueryValueKey  (100,  (100, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   432   NtClose  (100, ... ) == 0x0
 00724   432   NtUserSystemParametersInfo  (41, 500, 1237824, 0, ... ) == 0x1
 00725   432   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00726   432   NtOpenKey  (0x1, {24, 108, 0x40, 0, 0,  (0x1, {24, 108, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 100, ) }, ... 100, ) == 0x0
 00727   432   NtQueryValueKey  (100,  (100, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 112, ) }, ... 112, ) == 0x0
 00729   432   NtQueryValueKey  (112,  (112, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   432   NtClose  (112, ... ) == 0x0
 00731   432   NtClose  (100, ... ) == 0x0
 00732   432   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00733   432   NtUserSystemParametersInfo  (4130, 0, 1238348, 0, ... ) == 0x1
 00734   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 100, ) }, ... 100, ) == 0x0
 00735   432   NtEnumerateValueKey  (100, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00736   432   NtClose  (100, ... ) == 0x0
 00737   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00738   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc03b
 00739   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc03d
 00740   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00741   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc03f
 00742   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00743   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc041
 00744   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00745   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc043
 00746   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc045
 00747   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00748   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc047
 00749   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00750   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc049
 00751   432   NtUserGetClassInfo  (1905590272, 1238244, 1238196, 1238272, 0, ... ) == 0xc049
 00752   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00753   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc04b
 00754   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00755   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc04d
 00756   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00757   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc04f
 00758   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc051
 00759   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00760   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc053
 00761   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00762   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc055
 00763   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc057
 00764   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00765   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc059
 00766   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10013
 00767   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc05b
 00768   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00769   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc05d
 00770   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00771   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc05f
 00772   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00773   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc017
 00774   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00775   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc019
 00776   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10013
 00777   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ... ) == 0x810dc018
 00778   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00779   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc01a
 00780   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00781   432   NtUserRegisterClassExWOW  (1238080, 1238160, 1238144, 1238176, 0, 384, 0, ...
 00782   432   NtAllocateVirtualMemory  (-1, 6717440, 0, 4096, 4096, 32, ... 6717440, 4096, ) == 0x0
 00781   432   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00783   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00784   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc01e
 00785   432   NtUserFindExistingCursorIcon  (1237628, 1237644, 1238212, ... ) == 0x10011
 00786   432   NtUserRegisterClassExWOW  (1238140, 1238220, 1238204, 1238236, 0, 384, 0, ... ) == 0x810dc01b
 00787   432   NtUserFindExistingCursorIcon  (1237624, 1237640, 1238208, ... ) == 0x10011
 00788   432   NtUserRegisterClassExWOW  (1238136, 1238216, 1238200, 1238232, 0, 384, 0, ... ) == 0x810dc068
 00789   432   NtUserFindExistingCursorIcon  (1237632, 1237648, 1238216, ... ) == 0x10011
 00790   432   NtUserRegisterClassExWOW  (1238084, 1238164, 1238148, 1238180, 0, 384, 0, ... ) == 0x810dc06a
 00791   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 100, ) }, ... 100, ) == 0x0
 00792   432   NtQueryValueKey  (100,  (100, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793   432   NtQueryValueKey  (100,  (100, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   432   NtClose  (100, ... ) == 0x0
 00795   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 100, ) == 0x0
 00796   432   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 1334000, 0,  (0x1f0001, {24, 56, 0x80, 1334000, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 00797   432   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "RasPbFile"}, ... 112, ) }, ... 112, ) == 0x0
 00798   432   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 116, ) == 0x0
 00799   432   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00800   432   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 124, ) == 0x0
 00801   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 128, ) }, ... 128, ) == 0x0
 00802   432   NtQueryValueKey  (128,  (128, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00803   432   NtClose  (128, ... ) == 0x0
 00804   432   NtQueryDefaultUILanguage  (1239372, ...
 00805   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00806   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00807   432   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00808   432   NtClose  (-2147482020, ... ) == 0x0
 00809   432   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00810   432   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00811   432   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00812   432   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   432   NtClose  (-2147482032, ... ) == 0x0
 00814   432   NtClose  (-2147482020, ... ) == 0x0
 00804   432   NtQueryDefaultUILanguage  ... ) == 0x0
 00815   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00816   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 128, {status=0x0, info=1}, ) }, 1, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00817   432   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 132, ) == 0x0
 00818   432   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 8323072, ) == 0x0
 00819   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   432   NtQueryDefaultLocale  (1, 1237408, ... ) == 0x0
 00821   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   432   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238264, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238264, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\370\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 432, 1514, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\370\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 428, 432, 1514, 0}  (24, {128, 156, new_msg, 0, 1238264, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\370\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 428, 432, 1514, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\350\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\200\0\0\0\377\377\377\377\0\0\0\0\20\311\314\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\370\353\22\0\0\0\0\0" )  ) == 0x0
 00823   432   NtClose  (128, ... ) == 0x0
 00824   432   NtClose  (132, ... ) == 0x0
 00825   432   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00826   432   NtUnmapViewOfSection  (-1, 0x12ebf8, ... ) == STATUS_NOT_MAPPED_VIEW
 00827   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00828   432   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00830   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00831   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236492, ... ) }, 1236492, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00833   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00834   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00835   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237084, ... ) }, 1237084, ... ) == 0x0
 00836   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 132, {status=0x0, info=1}, ) }, 3, 33, ... 132, {status=0x0, info=1}, ) == 0x0
 00837   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00838   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 128, ) }, ... 128, ) == 0x0
 00839   432   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00840   432   NtClose  (128, ... ) == 0x0
 00841   432   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {428, 0}, ... 128, ) == 0x0
 00842   432   NtQueryInformationProcess  (128, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00843   432   NtClose  (128, ... ) == 0x0
 00844   432   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00845   432   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00846   432   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00847   432   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Control Panel\Desktop"}, ... 128, ) }, ... 128, ) == 0x0
 00848   432   NtQueryValueKey  (128,  (128, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   432   NtClose  (128, ... ) == 0x0
 00850   432   NtUserSystemParametersInfo  (41, 500, 1238948, 0, ... ) == 0x1
 00851   432   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00852   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00853   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00854   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc03b
 00855   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00856   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc03d
 00857   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00858   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00859   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc03f
 00860   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00861   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00862   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc041
 00863   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00864   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00865   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc043
 00866   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00867   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc045
 00868   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00869   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00870   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc047
 00871   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00872   432   NtUserFindExistingCursorIcon  (1238736, 1238752, 1239320, ... ) == 0x10011
 00873   432   NtUserRegisterClassExWOW  (1239188, 1239268, 1239252, 1239284, 0, 384, 0, ... ) == 0x810dc049
 00874   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00875   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00876   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc04b
 00877   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00878   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00879   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc04d
 00880   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00881   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00882   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc04f
 00883   432   NtUserGetClassInfo  (1999896576, 1239360, 1239312, 1239388, 0, ... ) == 0x0
 00884   432   NtUserRegisterClassExWOW  (1239196, 1239276, 1239260, 1239292, 0, 384, 0, ... ) == 0x810dc051
 00885   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00886   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00887   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc053
 00888   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00889   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00890   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc055
 00891   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc057
 00892   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00893   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00894   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc059
 00895   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00896   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10013
 00897   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc05b
 00898   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00899   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00900   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc05d
 00901   432   NtUserGetClassInfo  (1999896576, 1239356, 1239308, 1239384, 0, ... ) == 0x0
 00902   432   NtUserFindExistingCursorIcon  (1238740, 1238756, 1239324, ... ) == 0x10011
 00903   432   NtUserRegisterClassExWOW  (1239192, 1239272, 1239256, 1239288, 0, 384, 0, ... ) == 0x810dc05f
 00904   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc03b
 00905   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc03d
 00906   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc03f
 00907   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc041
 00908   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc043
 00909   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc045
 00910   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc047
 00911   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc049
 00912   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc04b
 00913   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc04d
 00914   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc04f
 00915   432   NtUserGetClassInfo  (1999896576, 1241112, 1241064, 1241140, 0, ... ) == 0xc051
 00916   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc053
 00917   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc055
 00918   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc059
 00919   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc05b
 00920   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc05d
 00921   432   NtUserGetClassInfo  (1999896576, 1241108, 1241060, 1241136, 0, ... ) == 0xc05f
 00922   432   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 00923   432   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 136, ) == 0x0
 00924   432   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 140, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 140, 2, ) , 0, ... 140, 2, ) == 0x0
 00925   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 00926   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   432   NtQueryValueKey  (144,  (144, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   432   NtQueryValueKey  (140,  (140, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   432   NtQueryValueKey  (144,  (144, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   432   NtQueryValueKey  (140,  (140, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00932   432   NtQueryValueKey  (144,  (144, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   432   NtQueryValueKey  (140,  (140, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   432   NtQueryValueKey  (144,  (144, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   432   NtQueryValueKey  (140,  (140, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   432   NtQueryValueKey  (144,  (144, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   432   NtQueryValueKey  (144,  (144, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   432   NtQueryValueKey  (144,  (144, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   432   NtQueryValueKey  (144,  (144, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   432   NtQueryValueKey  (144,  (144, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   432   NtQueryValueKey  (144,  (144, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   432   NtQueryValueKey  (144,  (144, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   432   NtQueryValueKey  (140,  (140, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   432   NtQueryValueKey  (144,  (144, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   432   NtQueryValueKey  (144,  (144, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   432   NtQueryValueKey  (140,  (140, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   432   NtQueryValueKey  (144,  (144, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   432   NtQueryValueKey  (140,  (140, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   432   NtQueryValueKey  (144,  (144, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   432   NtQueryValueKey  (140,  (140, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   432   NtQueryValueKey  (144,  (144, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   432   NtQueryValueKey  (140,  (140, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   432   NtQueryValueKey  (144,  (144, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   432   NtQueryValueKey  (140,  (140, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   432   NtQueryValueKey  (144,  (144, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   432   NtQueryValueKey  (140,  (140, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   432   NtQueryValueKey  (144,  (144, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   432   NtQueryValueKey  (140,  (140, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   432   NtQueryValueKey  (144,  (144, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   432   NtQueryValueKey  (140,  (140, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   432   NtQueryValueKey  (144,  (144, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   432   NtQueryValueKey  (144,  (144, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   432   NtQueryValueKey  (144,  (144, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   432   NtQueryValueKey  (144,  (144, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   432   NtQueryValueKey  (144,  (144, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   432   NtQueryValueKey  (144,  (144, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   432   NtQueryValueKey  (144,  (144, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   432   NtQueryValueKey  (144,  (144, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   432   NtQueryValueKey  (144,  (144, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   432   NtQueryValueKey  (144,  (144, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   432   NtQueryValueKey  (144,  (144, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   432   NtQueryValueKey  (144,  (144, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   432   NtQueryValueKey  (144,  (144, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 148, ) }, ... 148, ) == 0x0
 00975   432   NtQueryValueKey  (148,  (148, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (148, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00976   432   NtClose  (148, ... ) == 0x0
 00977   432   NtClose  (140, ... ) == 0x0
 00978   432   NtClose  (144, ... ) == 0x0
 00979   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 00980   432   NtQueryValueKey  (144,  (144, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   432   NtQueryValueKey  (144,  (144, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982   432   NtQueryValueKey  (144,  (144, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   432   NtClose  (144, ... ) == 0x0
 00984   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0
 00985   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   432   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00987   432   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00988   432   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00989   432   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00990   432   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1241148, 0,  (0x1f0003, {24, 56, 0x80, 1241148, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00991   432   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 140, ) }, ... 140, ) == 0x0
 00992   432   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 148, ) == 0x0
 00993   432   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 152, ) == 0x0
 00994   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00995   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3932160, 65536, ) == 0x0
 00996   432   NtAllocateVirtualMemory  (-1, 3932160, 0, 4096, 4096, 4, ... 3932160, 4096, ) == 0x0
 00997   432   NtAllocateVirtualMemory  (-1, 3936256, 0, 8192, 4096, 4, ... 3936256, 8192, ) == 0x0
 00998   432   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 156, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 156, {status=0x0, info=0}, ) == 0x0
 00999   432   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 160, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 160, {status=0x0, info=0}, ) == 0x0
 01000   432   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01001   432   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 168, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 168, {status=0x0, info=0}, ) == 0x0
 01002   432   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1240972,  (0x20100080, {24, 0, 0x40, 0, 1240972, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=0}, ) == 0x0
 01003   432   NtAllocateVirtualMemory  (-1, 3944448, 0, 36864, 4096, 4, ... 3944448, 36864, ) == 0x0
 01004   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01005   432   NtDeviceIoControlFile  (156, 176, 0x0, 0x0, 0x120003,  (156, 176, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (156, 176, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01006   432   NtClose  (176, ... ) == 0x0
 01007   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01008   432   NtDeviceIoControlFile  (156, 176, 0x0, 0x0, 0x120003,  (156, 176, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\22\360 \273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (156, 176, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\22\360 \273\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01009   432   NtClose  (176, ... ) == 0x0
 01010   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01011   432   NtDeviceIoControlFile  (156, 176, 0x0, 0x0, 0x120003,  (156, 176, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\03\360 \273\351\20\3\0\360\0\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\325y\0\0\272\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (156, 176, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\03\360 \273\351\20\3\0\360\0\0\0/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\325y\0\0\272\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01012   432   NtClose  (176, ... ) == 0x0
 01013   432   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01015   432   NtDeviceIoControlFile  (156, 176, 0x0, 0x0, 0x120003,  (156, 176, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (156, 176, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01016   432   NtClose  (176, ... ) == 0x0
 01017   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01018   432   NtDeviceIoControlFile  (156, 176, 0x0, 0x0, 0x120003,  (156, 176, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (156, 176, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01019   432   NtClose  (176, ... ) == 0x0
 01020   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01021   432   NtDeviceIoControlFile  (156, 176, 0x0, 0x0, 0x120003,  (156, 176, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (156, 176, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01022   432   NtClose  (176, ... ) == 0x0
 01023   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01024   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01025   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01026   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01027   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01028   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01029   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01030   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01031   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01032   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01033   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01034   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01035   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01036   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01037   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01038   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01039   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01040   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01041   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01042   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01043   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01044   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01045   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01046   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01047   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01048   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01049   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01050   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01051   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01052   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01053   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01054   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01055   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01056   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01057   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01058   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01059   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01060   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01061   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01062   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01063   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01064   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01065   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01066   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01067   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01068   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01069   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01070   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01071   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01072   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01073   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01074   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01075   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01076   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01077   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01078   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01079   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01080   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01081   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01082   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01083   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01084   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01085   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01086   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01087   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01088   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01089   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01090   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01091   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01092   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01093   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01094   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01095   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01096   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01097   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01098   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01099   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01100   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01101   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01102   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01103   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01104   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01105   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01106   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01107   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01108   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01109   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01110   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01111   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01112   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01113   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01114   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01115   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01116   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01117   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01118   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01119   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01120   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01121   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01122   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01123   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01124   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01125   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01126   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01127   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01128   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01129   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01130   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01131   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01132   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01133   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01134   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01135   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01136   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01137   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01138   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01139   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01140   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01141   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01142   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01143   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01144   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01145   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01146   432   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01147   432   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01148   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 176, ) }, ... 176, ) == 0x0
 01149   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 180, ) }, ... 180, ) == 0x0
 01150   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 184, ) }, ... 184, ) == 0x0
 01151   432   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 188, ) }, ... 188, ) == 0x0
 01152   432   NtQueryDefaultLocale  (1, 1240908, ... ) == 0x0
 01153   432   NtProtectVirtualMemory  (-1, (0x400000), 4096, 64, ... (0x400000), 4096, 2, ) == 0x0
 01154   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01155   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01156   432   NtAllocateVirtualMemory  (-1, 4063232, 0, 4096, 4096, 4, ... 4063232, 4096, ) == 0x0
 01157   432   NtAllocateVirtualMemory  (-1, 4067328, 0, 8192, 4096, 4, ... 4067328, 8192, ) == 0x0
 01158   432   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01159   432   NtAllocateVirtualMemory  (-1, 4075520, 0, 4096, 4096, 4, ... 4075520, 4096, ) == 0x0
 01160   432   NtQueryPerformanceCounter  (... {117787637, 0}, {3579545, 0}, ) == 0x0
 01161   432   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9764864, 1048576, ) == 0x0
 01162   432   NtAllocateVirtualMemory  (-1, 10805248, 0, 8192, 4096, 4, ... 10805248, 8192, ) == 0x0
 01163   432   NtProtectVirtualMemory  (-1, (0xa4e000), 4096, 260, ... (0xa4e000), 4096, 4, ) == 0x0
 01164   432   NtCreateThread  (0x1f03ff, 0x0, -1, 1243932, 1244648, 1, ... 192, {428, 572}, ) == 0x0
 01165   432   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=428,Tid=572,}, 0x0, ) == 0x0
 01166   432   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1179664, 2147347456, 34078720, 1243692}  (24, {28, 56, new_msg, 0, 1179664, 2147347456, 34078720, 1243692} "\0\0\0\0\1\0\1\0\2\3\20\2\2\3 \2\300\0\0\0\254\1\0\0<\2\0\0" ... {28, 56, reply, 0, 428, 432, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\3 \2\300\0\0\0\254\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 428, 432, 1515, 0}  (24, {28, 56, new_msg, 0, 1179664, 2147347456, 34078720, 1243692} "\0\0\0\0\1\0\1\0\2\3\20\2\2\3 \2\300\0\0\0\254\1\0\0<\2\0\0" ... {28, 56, reply, 0, 428, 432, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\3 \2\300\0\0\0\254\1\0\0<\2\0\0" )  ) == 0x0
 01167   432   NtResumeThread  (192, ... 1, ) == 0x0
 01168   432   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 01169   572   NtTestAlert  (... ) == 0x0
 01170   572   NtContinue  (10812720, 1, ...
 01171   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01168   432   NtCreateMutant  ... 196, ) == 0x0
 01172   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 200, ) == 0x0
 01173   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 204, ) == 0x0
 01174   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 208, ) == 0x0
 01175   432   NtAllocateVirtualMemory  (-1, 4079616, 0, 4096, 4096, 4, ... 4079616, 4096, ) == 0x0
 01176   432   NtCreateMutant  (0x1f0001, 0x0, 0, ... 212, ) == 0x0
 01177   432   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 01178   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01179   572   NtCallbackReturn  (0, 0, 0, ...
 01180   572   NtUserGetThreadState  (18, ... ) == 0x1
 01181   572   NtUserGetAsyncKeyState  (0, ... ) == 0x810a0000
 01182   572   NtUserGetAsyncKeyState  (32, ... ) == 0x810a0000
 01183   572   NtUserGetAsyncKeyState  (33, ...
 01177   432   NtCreateMutant  ... 220, ) == 0x0
 01184   432   NtUserRegisterClassExWOW  (1243520, 1243596, 1243612, 1243584, 0, 386, 0, ... ) == 0x810dc0cb
 01185   432   NtUserCreateWindowEx  (-2147483648, 1243504, 1243316, "0, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 01186   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239700, ... ) }, 1239700, ... ) == 0x0
 01187   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01188   432   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 01189   432   NtClose  (224, ... ) == 0x0
 01183   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01190   572   NtUserGetAsyncKeyState  (34, ... ) == 0x810a0000
 01191   572   NtUserGetAsyncKeyState  (35, ... ) == 0x810a0000
 01192   572   NtUserGetAsyncKeyState  (36, ... ) == 0x810a0000
 01193   572   NtUserGetAsyncKeyState  (37, ... ) == 0x810a0000
 01194   572   NtUserGetAsyncKeyState  (38, ... ) == 0x810a0000
 01195   572   NtUserGetAsyncKeyState  (39, ...
 01196   432   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa50000), 0x0, 204800, ) == 0x0
 01197   432   NtClose  (228, ... ) == 0x0
 01198   432   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 01199   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240016, ... ) }, 1240016, ... ) == 0x0
 01200   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 01201   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 01195   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01202   572   NtUserGetAsyncKeyState  (40, ... ) == 0x810a0000
 01203   572   NtUserGetAsyncKeyState  (41, ... ) == 0x810a0000
 01204   572   NtUserGetAsyncKeyState  (42, ... ) == 0x810a0000
 01205   572   NtUserGetAsyncKeyState  (43, ... ) == 0x810a0000
 01206   572   NtUserGetAsyncKeyState  (44, ... ) == 0x810a0000
 01207   572   NtUserGetAsyncKeyState  (45, ...
 01208   432   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01209   432   NtClose  (228, ... ) == 0x0
 01210   432   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01211   432   NtClose  (224, ... ) == 0x0
 01212   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01213   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01207   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01214   572   NtUserGetAsyncKeyState  (46, ... ) == 0x810a0000
 01215   572   NtUserGetAsyncKeyState  (47, ... ) == 0x810a0000
 01216   572   NtUserGetAsyncKeyState  (48, ... ) == 0x810a0000
 01217   572   NtUserGetAsyncKeyState  (49, ... ) == 0x810a0000
 01218   572   NtUserGetAsyncKeyState  (50, ... ) == 0x810a0000
 01219   572   NtUserGetAsyncKeyState  (51, ...
 01220   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01221   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 01222   432   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01223   432   NtClose  (224, ... ) == 0x0
 01224   432   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 224, ) }, ... 224, ) == 0x0
 01225   432   NtOpenKey  (0x1, {24, 224, 0x40, 0, 0,  (0x1, {24, 224, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 228, ) }, ... 228, ) == 0x0
 01219   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01226   572   NtUserGetAsyncKeyState  (52, ... ) == 0x810a0000
 01227   572   NtUserGetAsyncKeyState  (53, ... ) == 0x810a0000
 01228   572   NtUserGetAsyncKeyState  (54, ... ) == 0x810a0000
 01229   572   NtUserGetAsyncKeyState  (55, ... ) == 0x810a0000
 01230   572   NtUserGetAsyncKeyState  (56, ... ) == 0x810a0000
 01231   572   NtUserGetAsyncKeyState  (57, ...
 01232   432   NtQueryValueKey  (228,  (228, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   432   NtClose  (228, ... ) == 0x0
 01234   432   NtClose  (224, ... ) == 0x0
 01235   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01236   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 01237   432   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01231   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01238   572   NtUserGetAsyncKeyState  (58, ... ) == 0x810a0000
 01239   572   NtUserGetAsyncKeyState  (59, ... ) == 0x810a0000
 01240   572   NtUserGetAsyncKeyState  (60, ... ) == 0x810a0000
 01241   572   NtUserGetAsyncKeyState  (61, ... ) == 0x810a0000
 01242   572   NtUserGetAsyncKeyState  (62, ... ) == 0x810a0000
 01243   572   NtUserGetAsyncKeyState  (63, ...
 01244   432   NtClose  (224, ... ) == 0x0
 01245   432   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 224, ) }, ... 224, ) == 0x0
 01246   432   NtOpenKey  (0x1, {24, 224, 0x40, 0, 0,  (0x1, {24, 224, 0x40, 0, 0, "Control Panel\Desktop"}, ... 228, ) }, ... 228, ) == 0x0
 01247   432   NtQueryValueKey  (228,  (228, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   432   NtClose  (228, ... ) == 0x0
 01249   432   NtClose  (224, ... ) == 0x0
 01243   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01250   572   NtUserGetAsyncKeyState  (64, ... ) == 0x810a0000
 01251   572   NtUserGetAsyncKeyState  (65, ... ) == 0x810a0000
 01252   572   NtUserGetAsyncKeyState  (66, ... ) == 0x810a0000
 01253   572   NtUserGetAsyncKeyState  (67, ... ) == 0x810a0000
 01254   572   NtUserGetAsyncKeyState  (68, ... ) == 0x810a0000
 01255   572   NtUserGetAsyncKeyState  (69, ...
 01256   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1239516, ... }, 1239516, ...
 01255   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01257   572   NtUserGetAsyncKeyState  (70, ... ) == 0x810a0000
 01258   572   NtUserGetAsyncKeyState  (71, ... ) == 0x810a0000
 01259   572   NtUserGetAsyncKeyState  (72, ... ) == 0x810a0000
 01260   572   NtUserGetAsyncKeyState  (73, ... ) == 0x810a0000
 01261   572   NtUserGetAsyncKeyState  (74, ... ) == 0x810a0000
 01262   572   NtUserGetAsyncKeyState  (75, ... ) == 0x810a0000
 01263   572   NtUserGetAsyncKeyState  (76, ... ) == 0x810a0000
 01264   572   NtUserGetAsyncKeyState  (77, ... ) == 0x810a0000
 01265   572   NtUserGetAsyncKeyState  (78, ... ) == 0x810a0000
 01266   572   NtUserGetAsyncKeyState  (79, ... ) == 0x810a0000
 01267   572   NtUserGetAsyncKeyState  (80, ... ) == 0x810a0000
 01268   572   NtUserGetAsyncKeyState  (81, ... ) == 0x810a0000
 01269   572   NtUserGetAsyncKeyState  (82, ... ) == 0x810a0000
 01270   572   NtUserGetAsyncKeyState  (83, ... ) == 0x810a0000
 01271   572   NtUserGetAsyncKeyState  (84, ... ) == 0x810a0000
 01272   572   NtUserGetAsyncKeyState  (85, ... ) == 0x810a0000
 01273   572   NtUserGetAsyncKeyState  (86, ... ) == 0x810a0000
 01274   572   NtUserGetAsyncKeyState  (87, ... ) == 0x810a0000
 01275   572   NtUserGetAsyncKeyState  (88, ... ) == 0x810a0000
 01276   572   NtUserGetAsyncKeyState  (89, ... ) == 0x810a0000
 01277   572   NtUserGetAsyncKeyState  (90, ... ) == 0x810a0000
 01278   572   NtUserGetAsyncKeyState  (91, ... ) == 0x810a0000
 01279   572   NtUserGetAsyncKeyState  (92, ... ) == 0x810a0000
 01280   572   NtUserGetAsyncKeyState  (93, ... ) == 0x810a0000
 01281   572   NtUserGetAsyncKeyState  (94, ... ) == 0x810a0000
 01282   572   NtUserGetAsyncKeyState  (95, ... ) == 0x810a0000
 01283   572   NtUserGetAsyncKeyState  (96, ... ) == 0x810a0000
 01284   572   NtUserGetAsyncKeyState  (97, ... ) == 0x810a0000
 01285   572   NtUserGetAsyncKeyState  (98, ... ) == 0x810a0000
 01286   572   NtUserGetAsyncKeyState  (99, ... ) == 0x810a0000
 01287   572   NtUserGetAsyncKeyState  (100, ... ) == 0x810a0000
 01288   572   NtUserGetAsyncKeyState  (101, ... ) == 0x810a0000
 01289   572   NtUserGetAsyncKeyState  (102, ... ) == 0x810a0000
 01290   572   NtUserGetAsyncKeyState  (103, ... ) == 0x810a0000
 01291   572   NtUserGetAsyncKeyState  (104, ... ) == 0x810a0000
 01292   572   NtUserGetAsyncKeyState  (105, ... ) == 0x810a0000
 01293   572   NtUserGetAsyncKeyState  (106, ... ) == 0x810a0000
 01294   572   NtUserGetAsyncKeyState  (107, ... ) == 0x810a0000
 01295   572   NtUserGetAsyncKeyState  (108, ... ) == 0x810a0000
 01296   572   NtUserGetAsyncKeyState  (109, ... ) == 0x810a0000
 01297   572   NtUserGetAsyncKeyState  (110, ... ) == 0x810a0000
 01298   572   NtUserGetAsyncKeyState  (111, ... ) == 0x810a0000
 01299   572   NtUserGetAsyncKeyState  (112, ... ) == 0x810a0000
 01300   572   NtUserGetAsyncKeyState  (113, ... ) == 0x810a0000
 01301   572   NtUserGetAsyncKeyState  (114, ... ) == 0x810a0000
 01302   572   NtUserGetAsyncKeyState  (115, ... ) == 0x810a0000
 01303   572   NtUserGetAsyncKeyState  (116, ... ) == 0x810a0000
 01304   572   NtUserGetAsyncKeyState  (117, ... ) == 0x810a0000
 01305   572   NtUserGetAsyncKeyState  (118, ... ) == 0x810a0000
 01306   572   NtUserGetAsyncKeyState  (119, ... ) == 0x810a0000
 01307   572   NtUserGetAsyncKeyState  (120, ... ) == 0x810a0000
 01308   572   NtUserGetAsyncKeyState  (121, ... ) == 0x810a0000
 01309   572   NtUserGetAsyncKeyState  (122, ... ) == 0x810a0000
 01310   572   NtUserGetAsyncKeyState  (123, ... ) == 0x810a0000
 01311   572   NtUserGetAsyncKeyState  (124, ... ) == 0x810a0000
 01312   572   NtUserGetAsyncKeyState  (125, ... ) == 0x810a0000
 01313   572   NtUserGetAsyncKeyState  (126, ... ) == 0x810a0000
 01314   572   NtUserGetAsyncKeyState  (127, ... ) == 0x810a0000
 01315   572   NtUserGetAsyncKeyState  (128, ... ) == 0x810a0000
 01316   572   NtUserGetAsyncKeyState  (129, ...
 01256   432   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01317   572   NtUserGetAsyncKeyState  (130, ... ) == 0x810a0000
 01318   572   NtUserGetAsyncKeyState  (131, ... ) == 0x810a0000
 01319   572   NtUserGetAsyncKeyState  (132, ... ) == 0x810a0000
 01320   572   NtUserGetAsyncKeyState  (133, ... ) == 0x810a0000
 01321   572   NtUserGetAsyncKeyState  (134, ... ) == 0x810a0000
 01322   572   NtUserGetAsyncKeyState  (135, ...
 01323   432   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1239516, ... }, 1239516, ...
 01322   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01324   572   NtUserGetAsyncKeyState  (136, ... ) == 0x810a0000
 01325   572   NtUserGetAsyncKeyState  (137, ... ) == 0x810a0000
 01326   572   NtUserGetAsyncKeyState  (138, ... ) == 0x810a0000
 01327   572   NtUserGetAsyncKeyState  (139, ... ) == 0x810a0000
 01328   572   NtUserGetAsyncKeyState  (140, ... ) == 0x810a0000
 01329   572   NtUserGetAsyncKeyState  (141, ... ) == 0x810a0000
 01330   572   NtUserGetAsyncKeyState  (142, ... ) == 0x810a0000
 01331   572   NtUserGetAsyncKeyState  (143, ... ) == 0x810a0000
 01332   572   NtUserGetAsyncKeyState  (144, ... ) == 0x810a0000
 01333   572   NtUserGetAsyncKeyState  (145, ... ) == 0x810a0000
 01334   572   NtUserGetAsyncKeyState  (146, ... ) == 0x810a0000
 01335   572   NtUserGetAsyncKeyState  (147, ... ) == 0x810a0000
 01336   572   NtUserGetAsyncKeyState  (148, ... ) == 0x810a0000
 01337   572   NtUserGetAsyncKeyState  (149, ... ) == 0x810a0000
 01338   572   NtUserGetAsyncKeyState  (150, ... ) == 0x810a0000
 01339   572   NtUserGetAsyncKeyState  (151, ... ) == 0x810a0000
 01340   572   NtUserGetAsyncKeyState  (152, ... ) == 0x810a0000
 01341   572   NtUserGetAsyncKeyState  (153, ... ) == 0x810a0000
 01342   572   NtUserGetAsyncKeyState  (154, ... ) == 0x810a0000
 01343   572   NtUserGetAsyncKeyState  (155, ... ) == 0x810a0000
 01344   572   NtUserGetAsyncKeyState  (156, ... ) == 0x810a0000
 01345   572   NtUserGetAsyncKeyState  (157, ... ) == 0x810a0000
 01346   572   NtUserGetAsyncKeyState  (158, ... ) == 0x810a0000
 01347   572   NtUserGetAsyncKeyState  (159, ... ) == 0x810a0000
 01348   572   NtUserGetAsyncKeyState  (160, ... ) == 0x810a0000
 01349   572   NtUserGetAsyncKeyState  (161, ... ) == 0x810a0000
 01350   572   NtUserGetAsyncKeyState  (162, ... ) == 0x810a0000
 01351   572   NtUserGetAsyncKeyState  (163, ... ) == 0x810a0000
 01352   572   NtUserGetAsyncKeyState  (164, ... ) == 0x810a0000
 01353   572   NtUserGetAsyncKeyState  (165, ... ) == 0x810a0000
 01354   572   NtUserGetAsyncKeyState  (166, ... ) == 0x810a0000
 01355   572   NtUserGetAsyncKeyState  (167, ... ) == 0x810a0000
 01356   572   NtUserGetAsyncKeyState  (168, ... ) == 0x810a0000
 01357   572   NtUserGetAsyncKeyState  (169, ... ) == 0x810a0000
 01358   572   NtUserGetAsyncKeyState  (170, ... ) == 0x810a0000
 01359   572   NtUserGetAsyncKeyState  (171, ... ) == 0x810a0000
 01360   572   NtUserGetAsyncKeyState  (172, ... ) == 0x810a0000
 01361   572   NtUserGetAsyncKeyState  (173, ... ) == 0x810a0000
 01362   572   NtUserGetAsyncKeyState  (174, ... ) == 0x810a0000
 01363   572   NtUserGetAsyncKeyState  (175, ... ) == 0x810a0000
 01364   572   NtUserGetAsyncKeyState  (176, ... ) == 0x810a0000
 01365   572   NtUserGetAsyncKeyState  (177, ... ) == 0x810a0000
 01366   572   NtUserGetAsyncKeyState  (178, ... ) == 0x810a0000
 01367   572   NtUserGetAsyncKeyState  (179, ... ) == 0x810a0000
 01368   572   NtUserGetAsyncKeyState  (180, ... ) == 0x810a0000
 01369   572   NtUserGetAsyncKeyState  (181, ... ) == 0x810a0000
 01370   572   NtUserGetAsyncKeyState  (182, ... ) == 0x810a0000
 01371   572   NtUserGetAsyncKeyState  (183, ... ) == 0x810a0000
 01372   572   NtUserGetAsyncKeyState  (184, ... ) == 0x810a0000
 01373   572   NtUserGetAsyncKeyState  (185, ... ) == 0x810a0000
 01374   572   NtUserGetAsyncKeyState  (186, ... ) == 0x810a0000
 01375   572   NtUserGetAsyncKeyState  (187, ... ) == 0x810a0000
 01376   572   NtUserGetAsyncKeyState  (188, ... ) == 0x810a0000
 01377   572   NtUserGetAsyncKeyState  (189, ... ) == 0x810a0000
 01378   572   NtUserGetAsyncKeyState  (190, ... ) == 0x810a0000
 01379   572   NtUserGetAsyncKeyState  (191, ... ) == 0x810a0000
 01380   572   NtUserGetAsyncKeyState  (192, ...
 01323   432   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1239516, ... ) }, 1239516, ... ) == 0x0
 01382   432   NtUserGetProcessWindowStation  (... ) == 0x2c
 01383   432   NtUserGetObjectInformation  (44, 2, 0, 0, 1241812, ... ) == 0x0
 01384   432   NtUserGetObjectInformation  (44, 2, 1352232, 16, 1241812, ... ) == 0x1
 01385   432   NtUserGetGUIThreadInfo  (432, 1241768, ...
 01380   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01386   572   NtUserGetAsyncKeyState  (193, ... ) == 0x810a0000
 01387   572   NtUserGetAsyncKeyState  (194, ... ) == 0x810a0000
 01388   572   NtUserGetAsyncKeyState  (195, ... ) == 0x810a0000
 01389   572   NtUserGetAsyncKeyState  (196, ... ) == 0x810a0000
 01390   572   NtUserGetAsyncKeyState  (197, ... ) == 0x810a0000
 01391   572   NtUserGetAsyncKeyState  (198, ...
 01385   432   NtUserGetGUIThreadInfo  ... ) == 0x1
 01392   432   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1241588, 64, ... 224, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241588, 64, ... 224, 0x0, 0x0, 0x0, 64, ) == 0x0
 01393   432   NtRequestWaitReplyPort  (224, {32, 56, new_msg, 0, 0, 0, 0, 0}  (224, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01391   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01394   572   NtUserGetAsyncKeyState  (199, ... ) == 0x810a0000
 01395   572   NtUserGetAsyncKeyState  (200, ... ) == 0x810a0000
 01396   572   NtUserGetAsyncKeyState  (201, ... ) == 0x810a0000
 01397   572   NtUserGetAsyncKeyState  (202, ... ) == 0x810a0000
 01398   572   NtUserGetAsyncKeyState  (203, ... ) == 0x810a0000
 01399   572   NtUserGetAsyncKeyState  (204, ...
 01393   432   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 428, 432, 1517, 0}  ... {32, 56, reply, 0, 428, 432, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01400   432   NtRequestWaitReplyPort  (224, {32, 56, new_msg, 0, 0, 0, 0, 0}  (224, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01399   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01401   572   NtUserGetAsyncKeyState  (205, ... ) == 0x810a0000
 01402   572   NtUserGetAsyncKeyState  (206, ... ) == 0x810a0000
 01403   572   NtUserGetAsyncKeyState  (207, ...
 01400   432   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 428, 432, 1518, 0}  ... {32, 56, reply, 0, 428, 432, 1518, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01404   432   NtUserCallNoParam  (29, ...
 01405   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239060, ... ) }, 1239060, ... ) == 0x0
 01404   432   NtUserCallNoParam  ... ) == 0x0
 01406   432   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01407   432   NtGdiHfontCreate  (1241140, 356, 0, 0, 1357240, ... ) == 0xa0a0404
 01403   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01408   572   NtUserGetAsyncKeyState  (208, ... ) == 0x810a0000
 01409   572   NtUserGetAsyncKeyState  (209, ... ) == 0x810a0000
 01410   572   NtUserGetAsyncKeyState  (210, ... ) == 0x810a0000
 01411   572   NtUserGetAsyncKeyState  (211, ... ) == 0x810a0000
 01412   572   NtUserGetAsyncKeyState  (212, ... ) == 0x810a0000
 01413   572   NtUserGetAsyncKeyState  (213, ...
 01414   432   NtGdiHfontCreate  (1241140, 356, 0, 0, 1357232, ... ) == 0x3f0a0382
 01415   432   NtRequestWaitReplyPort  (224, {32, 56, new_msg, 0, 0, 0, 0, 0}  (224, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01413   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01416   572   NtUserGetAsyncKeyState  (214, ... ) == 0x810a0000
 01417   572   NtUserGetAsyncKeyState  (215, ... ) == 0x810a0000
 01418   572   NtUserGetAsyncKeyState  (216, ... ) == 0x810a0000
 01419   572   NtUserGetAsyncKeyState  (217, ... ) == 0x810a0000
 01420   572   NtUserGetAsyncKeyState  (218, ... ) == 0x810a0000
 01421   572   NtUserGetAsyncKeyState  (219, ...
 01415   432   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 428, 432, 1519, 0}  ... {32, 56, reply, 0, 428, 432, 1519, 0} "\0\0\0\0\0\0\0\0\344\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01422   432   NtMapViewOfSection  (228, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa50000), {0, 0}, 331776, ) == 0x0
 01423   432   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 01424   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01425   432   NtUserCallOneParam  (16842836, 56, ...
 01421   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01426   572   NtUserGetAsyncKeyState  (220, ... ) == 0x810a0000
 01427   572   NtUserGetAsyncKeyState  (221, ... ) == 0x810a0000
 01428   572   NtUserGetAsyncKeyState  (222, ... ) == 0x810a0000
 01429   572   NtUserGetAsyncKeyState  (223, ... ) == 0x810a0000
 01430   572   NtUserGetAsyncKeyState  (224, ... ) == 0x810a0000
 01431   572   NtUserGetAsyncKeyState  (225, ...
 01425   432   NtUserCallOneParam  ... ) == 0x1
 01432   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01433   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01434   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01435   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01436   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01437   432   NtUserCallOneParam  (16842836, 56, ...
 01431   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01438   572   NtUserGetAsyncKeyState  (226, ... ) == 0x810a0000
 01439   572   NtUserGetAsyncKeyState  (227, ... ) == 0x810a0000
 01440   572   NtUserGetAsyncKeyState  (228, ... ) == 0x810a0000
 01441   572   NtUserGetAsyncKeyState  (229, ... ) == 0x810a0000
 01442   572   NtUserGetAsyncKeyState  (230, ... ) == 0x810a0000
 01443   572   NtUserGetAsyncKeyState  (231, ...
 01437   432   NtUserCallOneParam  ... ) == 0x1
 01444   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01445   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01446   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01447   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01448   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01449   432   NtUserCallOneParam  (16842836, 56, ...
 01443   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01450   572   NtUserGetAsyncKeyState  (232, ... ) == 0x810a0000
 01451   572   NtUserGetAsyncKeyState  (233, ... ) == 0x810a0000
 01452   572   NtUserGetAsyncKeyState  (234, ... ) == 0x810a0000
 01453   572   NtUserGetAsyncKeyState  (235, ... ) == 0x810a0000
 01454   572   NtUserGetAsyncKeyState  (236, ... ) == 0x810a0000
 01455   572   NtUserGetAsyncKeyState  (237, ...
 01449   432   NtUserCallOneParam  ... ) == 0x1
 01456   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01457   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01458   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01459   432   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x4d1003ea
 01460   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01461   432   NtUserCallNoParam  (29, ...
 01455   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01462   572   NtUserGetAsyncKeyState  (238, ... ) == 0x810a0000
 01463   572   NtUserGetAsyncKeyState  (239, ... ) == 0x810a0000
 01464   572   NtUserGetAsyncKeyState  (240, ... ) == 0x810a0000
 01465   572   NtUserGetAsyncKeyState  (241, ... ) == 0x810a0000
 01466   572   NtUserGetAsyncKeyState  (242, ... ) == 0x810a0000
 01467   572   NtUserGetAsyncKeyState  (243, ...
 01468   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238504, ... ) }, 1238504, ... ) == 0x0
 01461   432   NtUserCallNoParam  ... ) == 0x0
 01469   432   NtUserCallNoParam  (29, ...
 01470   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238500, ... ) }, 1238500, ... ) == 0x0
 01469   432   NtUserCallNoParam  ... ) == 0x0
 01471   432   NtUserMessageCall  (0x200b4, WM_NCCREATE, 0x0, 0x12f3e0, 0, 670, 1, ... ) == 0x1
 01472   432   NtUserMessageCall  (0x200b4, WM_NCCALCSIZE, 0x0, 0x12f414, 0, 670, 1, ... ) == 0x0
 01473   432   NtUserGetClassName  (131252, 0, 1241300, ...
 01467   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01474   572   NtUserGetAsyncKeyState  (244, ... ) == 0x810a0000
 01475   572   NtUserGetAsyncKeyState  (245, ... ) == 0x810a0000
 01476   572   NtUserGetAsyncKeyState  (246, ... ) == 0x810a0000
 01477   572   NtUserGetAsyncKeyState  (247, ... ) == 0x810a0000
 01478   572   NtUserGetAsyncKeyState  (248, ... ) == 0x810a0000
 01479   572   NtUserGetAsyncKeyState  (249, ...
 01473   432   NtUserGetClassName  ... ) == 0x4
 01480   432   NtUserRemoveProp  (131252, 43282, ... ) == 0x0
 01481   432   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 35020, 28, 3801155, 5701724}  (24, {24, 52, new_msg, 0, 35020, 28, 3801155, 5701724} "\0\0\0\0\5\4\3\0W\0S\0\\0s\0\260\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 428, 432, 1520, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\\0s\0\260\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 428, 432, 1520, 0}  (24, {24, 52, new_msg, 0, 35020, 28, 3801155, 5701724} "\0\0\0\0\5\4\3\0W\0S\0\\0s\0\260\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 428, 432, 1520, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\\0s\0\260\1\0\0\0\0\0\0" )  ) == 0x0
 01482   432   NtUserGetThreadDesktop  (432, 0, ... ) == 0x30
 01483   432   NtUserGetObjectInformation  (48, 2, 1240976, 520, 0, ... ) == 0x1
 01484   432   NtGdiDeleteObjectApp  (1292895210, ... ) == 0x1
 01479   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01485   572   NtUserGetAsyncKeyState  (250, ... ) == 0x810a0000
 01486   572   NtUserGetAsyncKeyState  (251, ... ) == 0x810a0000
 01487   572   NtUserGetAsyncKeyState  (252, ... ) == 0x810a0000
 01488   572   NtUserGetAsyncKeyState  (253, ... ) == 0x810a0000
 01489   572   NtUserGetAsyncKeyState  (254, ... ) == 0x810a0000
 01490   572   NtUserGetAsyncKeyState  (255, ...
 01491   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01492   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01493   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01494   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01495   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01496   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01490   572   NtUserGetAsyncKeyState  ... ) == 0x810a0000
 01497   572   NtDelayExecution  (0, {-10000000, -1}, ...
 01498   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01499   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01500   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01501   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01502   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01503   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01504   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01505   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01506   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01507   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01508   432   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01509   432   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x4e1003ea
 01510   432   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01511   432   NtUserSetProp  (131252, 43288, 3294272, ... ) == 0x1
 01512   432   NtUserGetAncestor  (131252, 1, ... ) == 0x10014
 01513   432   NtUserSetWindowPos  (131252, 0, 0, 0, 123, 34, 1047, ... ) == 0x1
 01185   432   NtUserCreateWindowEx  ... ) == 0x200b4
 01514   432   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 01515   432   NtQueryValueKey  (232,  (232, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01516   432   NtQueryValueKey  (232,  (232, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (232, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01517   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 236, ) == 0x0
 01518   432   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "Protocol_Catalog9"}, ... 240, ) }, ... 240, ) == 0x0
 01519   432   NtQueryValueKey  (240,  (240, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01520   432   NtNotifyChangeKey  (240, 236, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01521   432   NtQueryValueKey  (240,  (240, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01522   432   NtOpenKey  (0x2000000, {24, 240, 0x40, 0, 0,  (0x2000000, {24, 240, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   432   NtQueryValueKey  (240,  (240, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01524   432   NtQueryValueKey  (240,  (240, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01525   432   NtOpenKey  (0x2000000, {24, 240, 0x40, 0, 0,  (0x2000000, {24, 240, 0x40, 0, 0, "Catalog_Entries"}, ... 244, ) }, ... 244, ) == 0x0
 01526   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000001"}, ... 248, ) }, ... 248, ) == 0x0
 01527   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01528   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01529   432   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01530   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\373\5\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\373\5\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\5\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\374\5\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\373\5\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\373\5\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\5\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\374\5\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\373\5\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\373\5\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\5\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\374\5\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\375\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\376\5\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01531   432   NtClose  (248, ... ) == 0x0
 01532   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000002"}, ... 248, ) }, ... 248, ) == 0x0
 01533   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01534   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01535   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\0\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\0\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\1\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\0\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\0\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\1\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\0\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\0\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\1\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\2\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01536   432   NtClose  (248, ... ) == 0x0
 01537   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000003"}, ... 248, ) }, ... 248, ) == 0x0
 01538   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01539   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01540   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\5\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\5\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\6\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\5\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\5\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\6\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\5\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\5\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\6\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\7\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\10\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01541   432   NtClose  (248, ... ) == 0x0
 01542   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000004"}, ... 248, ) }, ... 248, ) == 0x0
 01543   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01544   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01545   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\12\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\12\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\13\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\12\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\12\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\13\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\12\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\12\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\13\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\13\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\14\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\15\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01546   432   NtClose  (248, ... ) == 0x0
 01547   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000005"}, ... 248, ) }, ... 248, ) == 0x0
 01548   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01549   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01550   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\17\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\17\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\20\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\17\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\17\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\20\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\17\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\17\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\20\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01551   432   NtClose  (248, ... ) == 0x0
 01552   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000006"}, ... 248, ) }, ... 248, ) == 0x0
 01553   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01554   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01555   432   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01556   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\25\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\25\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\26\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\25\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\25\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\26\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\25\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\25\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\26\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01557   432   NtClose  (248, ... ) == 0x0
 01558   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000007"}, ... 248, ) }, ... 248, ) == 0x0
 01559   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01560   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01561   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\32\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\32\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\33\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\32\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\32\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\33\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\32\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\32\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\33\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01562   432   NtClose  (248, ... ) == 0x0
 01563   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000008"}, ... 248, ) }, ... 248, ) == 0x0
 01564   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01565   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01566   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\37\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\37\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0 \6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\37\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\37\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0 \6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\37\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\37\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0 \6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0 \6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0!\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01567   432   NtClose  (248, ... ) == 0x0
 01568   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000009"}, ... 248, ) }, ... 248, ) == 0x0
 01569   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01570   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01571   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0$\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0$\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0%\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0$\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0$\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0%\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0$\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0$\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0%\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0&\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01572   432   NtClose  (248, ... ) == 0x0
 01573   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000010"}, ... 248, ) }, ... 248, ) == 0x0
 01574   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01575   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01576   432   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01577   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0*\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0*\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0+\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0*\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0*\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0+\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0*\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0*\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\360\370\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360\266\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0+\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0\254\1\0\0\260\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01578   432   NtClose  (248, ... ) == 0x0
 01579   432   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000011"}, ... 248, ) }, ... 248, ) == 0x0
 01580   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01581   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01582   432   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0/\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0/\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\00\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\6\0\0\254\1\0\0\260\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\01\6\0\0\254\1\0\0\260\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\02\6\0\0\254\1\0\0\260\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\02\6\0\0\254\1\0\0\260\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\03\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\350\0\0\0\14\371\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300\266\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0/\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0/\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\00\6\0\0\254\1\0\0\260\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\6\0\0\254\1\0\0\260\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\01\6\0\0\254\1\0\0\260\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\02\6\0\0\254\1\0\0\260\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\02\6\0\0\254\1\0\0\260\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\03\6\0\0\254\1\0\0\260\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\350\0\0\0\14\371\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300\266\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01583   432   NtClose  (248, ... ) == 0x0
 01584   432   NtClose  (244, ... ) == 0x0
 01585   432   NtWaitForSingleObject  (236, 0, {0, 0}, ... ) == 0x102
 01586   432   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 244, ) == 0x0
 01587   432   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 248, ) }, ... 248, ) == 0x0
 01588   432   NtQueryValueKey  (248,  (248, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01589   432   NtNotifyChangeKey  (248, 244, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01590   432   NtQueryValueKey  (248,  (248, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01591   432   NtOpenKey  (0x2000000, {24, 248, 0x40, 0, 0,  (0x2000000, {24, 248, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   432   NtQueryValueKey  (248,  (248, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593   432   NtOpenKey  (0x2000000, {24, 248, 0x40, 0, 0,  (0x2000000, {24, 248, 0x40, 0, 0, "Catalog_Entries"}, ... 252, ) }, ... 252, ) == 0x0
 01594   432   NtOpenKey  (0x20019, {24, 252, 0x40, 0, 0,  (0x20019, {24, 252, 0x40, 0, 0, "000000000001"}, ... 256, ) }, ... 256, ) == 0x0
 01595   432   NtQueryValueKey  (256,  (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01596   432   NtQueryValueKey  (256,  (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01597   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01598   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01599   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01600   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01601   432   NtQueryValueKey  (256,  (256, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (256, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01602   432   NtQueryValueKey  (256,  (256, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   432   NtQueryValueKey  (256,  (256, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01604   432   NtQueryValueKey  (256,  (256, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01605   432   NtQueryValueKey  (256,  (256, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01606   432   NtQueryValueKey  (256,  (256, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01607   432   NtClose  (256, ... ) == 0x0
 01608   432   NtOpenKey  (0x20019, {24, 252, 0x40, 0, 0,  (0x20019, {24, 252, 0x40, 0, 0, "000000000002"}, ... 256, ) }, ... 256, ) == 0x0
 01609   432   NtQueryValueKey  (256,  (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01610   432   NtQueryValueKey  (256,  (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01611   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01612   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01613   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01614   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01615   432   NtQueryValueKey  (256,  (256, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (256, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01616   432   NtQueryValueKey  (256,  (256, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   432   NtQueryValueKey  (256,  (256, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01618   432   NtQueryValueKey  (256,  (256, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01619   432   NtQueryValueKey  (256,  (256, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01620   432   NtQueryValueKey  (256,  (256, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01621   432   NtClose  (256, ... ) == 0x0
 01622   432   NtOpenKey  (0x20019, {24, 252, 0x40, 0, 0,  (0x20019, {24, 252, 0x40, 0, 0, "000000000003"}, ... 256, ) }, ... 256, ) == 0x0
 01623   432   NtQueryValueKey  (256,  (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01624   432   NtQueryValueKey  (256,  (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01625   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01626   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01627   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01628   432   NtQueryValueKey  (256,  (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01629   432   NtQueryValueKey  (256,  (256, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (256, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01630   432   NtQueryValueKey  (256,  (256, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   432   NtQueryValueKey  (256,  (256, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01632   432   NtQueryValueKey  (256,  (256, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01633   432   NtQueryValueKey  (256,  (256, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01634   432   NtQueryValueKey  (256,  (256, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01635   432   NtClose  (256, ... ) == 0x0
 01636   432   NtClose  (252, ... ) == 0x0
 01637   432   NtWaitForSingleObject  (244, 0, {0, 0}, ... ) == 0x102
 01638   432   NtClose  (232, ... ) == 0x0
 01639   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01640   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01641   432   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 01642   432   NtQueryValueKey  (232,  (232, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01643   432   NtClose  (232, ... ) == 0x0
 01644   432   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01645   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 232, ) == 0x0
 01646   432   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 0, 0,  (0x1f0001, {24, 56, 0x80, 0, 0, "d3kb5sujs50lq2mr"}, 0, ... 252, ) }, 0, ... 252, ) == 0x0
 01647   432   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243472,  (0xc0100080, {24, 0, 0x40, 0, 1243472, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 0x0, 128, 3, 3, 96, 0, 0, ... 256, {status=0x0, info=2}, ) }, 0x0, 128, 3, 3, 96, 0, 0, ... 256, {status=0x0, info=2}, ) == 0x0
 01648   432   NtClose  (256, ... ) == 0x0
 01649   432   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242472,  (0x80100080, {24, 0, 0x40, 0, 1242472, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 256, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 256, {status=0x0, info=1}, ) == 0x0
 01650   432   NtQueryInformationFile  (256, 1243408, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01651   432   NtQueryInformationFile  (256, 1243380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01652   432   NtQueryInformationFile  (256, 1243332, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01653   432   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01654   432   NtQueryInformationFile  (256, 1372328, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01655   432   NtQueryInformationFile  (256, 1241876, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01656   432   NtQueryInformationFile  (256, 1241720, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01657   432   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241728,  (0x40110080, {24, 0, 0x40, 0, 1241728, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01658   432   NtClose  (-2147482020, ... ) == 0x0
 01657   432   NtCreateFile  ... 260, {status=0x0, info=3}, ) == 0x0
 01659   432   NtQueryVolumeInformationFile  (260, 1241100, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01660   432   NtQueryInformationFile  (260, 1241060, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01661   432   NtQueryVolumeInformationFile  (256, 1241100, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01662   432   NtQueryVolumeInformationFile  (256, 1240784, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01663   432   NtSetInformationFile  (260, 1240888, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01664   432   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 256, ... 264, ) == 0x0
 01665   432   NtMapViewOfSection  (264, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xab0000), {0, 0}, 180224, ) == 0x0
 01666   432   NtClose  (264, ... ) == 0x0
 01667   432   NtWriteFile  (260, 0, 0, 0,  (260, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\^\375\16\30?\223]\30?\223]\30?\223]\137\372]\32?\223]\353\234]8?\223]\353\314]\210?\223]\3330\314]\34?\223]\353\363]\16?\223]\360 \231]\31?\223]\3330\316]\11?\223]\30?\222]\304?\223]\353\360]%?\223]\353\311]\31?\223]Rich\30?\223]\0\0\0\0\0\0\0\0PE\0\0L\1\3\0W\236\F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0r\2\0\0\4\1\0\0\0\0\0\0\240\3\0\0\20\0\0\0\220\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\227\6\4\0\0\0\0\0\0\0\0P\6\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0]\257\3\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\15\3\0H\0\0\0\0\0\0\0\0\0\0\0\0\220\2\0\4\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\220\3\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01668   432   NtWriteFile  (260, 0, 0, 0,  (260, 0, 0, 0, "m5\347\344EF\322-\16C\240mX"2\354\347\340EF\345-\6\347\367\370\306\365r\234}ki\7\333\374\377\327\220\227\230\207\222)\307\252Ex\220\255\377\367S2\207\370:\177\347dEF\332\255\304\307\322\247\205\336\355T\347\242Q\305\354m\371\347\344A\241\255\355\243\241\245A\307\325\355\37\307\345y \271\272\7\347\352y\204\372\272\27\201iEC\212\364\220`"A\307\355\255\344\327mi\307\301\355\225,\355E\204\347\204\266\347cA\307\344\355u ci\307\332\255\347\367\0\360\305\315-\376\367iu\1\245\214\357\241cq\305\355-\307\243k]\305\347\274\10$kU\207\375\206\224\20\262\\5\312\177\336\24\230;\305\355\374h\241\242A\307\365r\370\22\225\250\307\340-s\201\351U\305\345\355\260\327mUF\337\342/\221ma\304\355\355\260Bci\305\377\255\270\347\245MD\350\355\37\327%u\355g4f\327k}\305\336\355U\367\242i\305\317\255&\307`I\307\343m\265\275\340y@lm\200\307\16\323h\231-xQr` \200\4\7\307\251EF\371\355;\253z\334\7\314\274\177\367\341Q\307\333\255\355\347\204\360\7\300\4#A\377\300\306\346-p\307\276|\304\305\355\214\2\344I\307\342\355\206\327!u\305\315-P\307=8\6\375-#\347\351]m\273\255\25\327\340Q\307\373\255A\221\262@\305\350\370G\14\335\274\4\364r\333\241lIM\253;\247\347\207\304F\350m/SkE\205\356m\27\327\272P\207\353\227\241\327*y\5\350m4\347G\302\204\364\277\254\223`u-\256m\361\347\210\220!\263\255\37\327eI\307\324\355+\347\242uE\355\355\333P\355a\306\341\355+\307iq\4\324-\1seY\350\251w\337\307)E\325\273\255U\367\213\310C\264\255\310\275\211\204F\334\3551\347", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 2\354\347\340EF\345-\6\347\367\370\306\365r\234}ki\7\333\374\377\327\220\227\230\207\222)\307\252Ex\220\255\377\367S2\207\370:\177\347dEF\332\255\304\307\322\247\205\336\355T\347\242Q\305\354m\371\347\344A\241\255\355\243\241\245A\307\325\355\37\307\345y \271\272\7\347\352y\204\372\272\27\201iEC\212\364\220` (260, 0, 0, 0, "m5\347\344EF\322-\16C\240mX"2\354\347\340EF\345-\6\347\367\370\306\365r\234}ki\7\333\374\377\327\220\227\230\207\222)\307\252Ex\220\255\377\367S2\207\370:\177\347dEF\332\255\304\307\322\247\205\336\355T\347\242Q\305\354m\371\347\344A\241\255\355\243\241\245A\307\325\355\37\307\345y \271\272\7\347\352y\204\372\272\27\201iEC\212\364\220`"A\307\355\255\344\327mi\307\301\355\225,\355E\204\347\204\266\347cA\307\344\355u ci\307\332\255\347\367\0\360\305\315-\376\367iu\1\245\214\357\241cq\305\355-\307\243k]\305\347\274\10$kU\207\375\206\224\20\262\\5\312\177\336\24\230;\305\355\374h\241\242A\307\365r\370\22\225\250\307\340-s\201\351U\305\345\355\260\327mUF\337\342/\221ma\304\355\355\260Bci\305\377\255\270\347\245MD\350\355\37\327%u\355g4f\327k}\305\336\355U\367\242i\305\317\255&\307`I\307\343m\265\275\340y@lm\200\307\16\323h\231-xQr` \200\4\7\307\251EF\371\355;\253z\334\7\314\274\177\367\341Q\307\333\255\355\347\204\360\7\300\4#A\377\300\306\346-p\307\276|\304\305\355\214\2\344I\307\342\355\206\327!u\305\315-P\307=8\6\375-#\347\351]m\273\255\25\327\340Q\307\373\255A\221\262@\305\350\370G\14\335\274\4\364r\333\241lIM\253;\247\347\207\304F\350m/SkE\205\356m\27\327\272P\207\353\227\241\327*y\5\350m4\347G\302\204\364\277\254\223`u-\256m\361\347\210\220!\263\255\37\327eI\307\324\355+\347\242uE\355\355\333P\355a\306\341\355+\307iq\4\324-\1seY\350\251w\337\307)E\325\273\255U\367\213\310C\264\255\310\275\211\204F\334\3551\347", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01669   432   NtWriteFile  (260, 0, 0, 0,  (260, 0, 0, 0, "\265r\345i\204\356mG\241\244q\4\373\355\5\367kY)\265\355\267\347\257\200\304\315\2621\307cu\6\356v\16q\252IF\346\355\16A\252Ym\215\355iSM\304\314\216\2613\3274\204F\301-\217\347\365\253\254M-]\307\11h\307\305\355l\241iY\6\372\255r\347C\345,=\2558U\2\371\357\347\365T\367E\364\305\345t(\327\355E\5\375\367i\307\214r\4\372\355\24QgE\306\302g\361\347\316\337i\223\177n\21N\371\305\346m\346\307\314\350\232\2567\274\307\11\365\242\206\255\223u\313_V\236\355\244\327\3\353\4\373\355\7\347iq\317\244-\233\367\245M\360\250m:}-u\305\345-:1\355]\311f\355\7\327\265,E\353'\320\241\347A\256\373\277\347\347ceG\367\4#\307-A\201\230\255d\20)q(b-\204m\335\304(\321\355\205\307x\300\5\373\255h0\341MD\357\355\337\307ou^\203\4\226-gyk\225rz\1\241E\37\247m\34\347\273@\204\314x\241\307cY\6\303\361\331\327\5\320\306\343m^\35\221TE\332-t\347e]\314L\355\360]\251A\14\246m\34\327\215\324x\247\367zoB\204\307\3146.a\346a\207\3664\254\242kY\306\350m\262s\336l\212\256m\301\367\203sH\225\246\373%\335t\304\344m\357\354'QU\2504\340\347ce\7\367\4\263\367\246\34\354\201-\32\307cI\305\356\266\365\314\332\330\305\341m\205\347\200x\24\220-\365\334E\220b\231-\236\241(]\255\245\255&\367-EE\363;\7\347\246Q\7\332\207\10\360\355\254\306\361\277A\202\305\354W`\355\305\347\245qa\236\355\331\327%i\307\372m\360C\252}\304\365\366\270\307\243I\352-\255Q3oe\364b-\377\261,$\305\350\6\356\307\333\331\355\230\255\\307\33", 54272, 0x0, 0, ... {status=0x0, info=54272}, ) , 54272, 0x0, 0, ... {status=0x0, info=54272}, ) == 0x0
 01670   432   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 01671   432   NtSetInformationFile  (260, 1243332, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01672   432   NtClose  (256, ... ) == 0x0
 01673   432   NtClose  (260, ... ) == 0x0
 01674   432   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243496,  (0xc0100080, {24, 0, 0x40, 0, 1243496, "\??\C:\WINDOWS\System32\calc.exe"}, 0x0, 128, 3, 3, 96, 0, 0, ... 260, {status=0x0, info=1}, ) }, 0x0, 128, 3, 3, 96, 0, 0, ... 260, {status=0x0, info=1}, ) == 0x0
 01675   432   NtQueryInformationFile  (260, 1243588, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01676   432   NtClose  (260, ... ) == 0x0
 01677   432   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243496,  (0xc0100080, {24, 0, 0x40, 0, 1243496, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 0x0, 128, 3, 3, 96, 0, 0, ... 260, {status=0x0, info=1}, ) }, 0x0, 128, 3, 3, 96, 0, 0, ... 260, {status=0x0, info=1}, ) == 0x0
 01678   432   NtSetInformationFile  (260, 1243588, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01679   432   NtClose  (260, ... ) == 0x0
 01680   432   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01681   432   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01682   432   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 260, ... 256, ) == 0x0
 01683   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 264, ) }, ... 264, ) == 0x0
 01685   432   NtQueryValueKey  (264,  (264, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01686   432   NtClose  (264, ... ) == 0x0
 01687   432   NtQueryVolumeInformationFile  (260, 1240028, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01688   432   NtOpenMutant  (0x120001, {24, 56, 0x0, 0, 0,  (0x120001, {24, 56, 0x0, 0, 0, "ShimCacheMutex"}, ... 264, ) }, ... 264, ) == 0x0
 01689   432   NtWaitForSingleObject  (264, 0, {-1000000, -1}, ... ) == 0x0
 01690   432   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "ShimSharedMemory"}, ... 268, ) }, ... 268, ) == 0x0
 01691   432   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 57344, ) == 0x0
 01692   432   NtReleaseMutant  (264, ... 0x0, ) == 0x0
 01693   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238012, ... ) }, 1238012, ... ) == 0x0
 01694   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 272, {status=0x0, info=1}, ) }, 5, 96, ... 272, {status=0x0, info=1}, ) == 0x0
 01695   432   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 272, ... 276, ) == 0x0
 01696   432   NtClose  (272, ... ) == 0x0
 01697   432   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xab0000), 0x0, 106496, ) == 0x0
 01698   432   NtClose  (276, ... ) == 0x0
 01699   432   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 01700   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238328, ... ) }, 1238328, ... ) == 0x0
 01701   432   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01702   432   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 272, ) == 0x0
 01703   432   NtQuerySection  (272, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01704   432   NtClose  (276, ... ) == 0x0
 01705   432   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01706   432   NtClose  (272, ... ) == 0x0
 01707   432   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) == 0x0
 01708   432   NtQueryInformationFile  (272, 1238616, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01709   432   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 272, ... 276, ) == 0x0
 01710   432   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xab0000), 0x0, 1028096, ) == 0x0
 01711   432   NtQueryInformationFile  (272, 1238712, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01712   432   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01713   432   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01714   432   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01715   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01716   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1236276, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236276, 616, BothDirectory, 1, "mvwatvx.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01717   432   NtClose  (280, ... ) == 0x0
 01718   432   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01719   432   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01720   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 1235664, ... ) }, 1235664, ... ) == 0x0
 01721   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01722   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1235024, 616, BothDirectory, 1,  (280, 0, 0, 0, 1235024, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01723   432   NtClose  (280, ... ) == 0x0
 01724   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01725   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1235024, 616, BothDirectory, 1,  (280, 0, 0, 0, 1235024, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01726   432   NtClose  (280, ... ) == 0x0
 01727   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01728   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1235024, 616, BothDirectory, 1,  (280, 0, 0, 0, 1235024, 616, BothDirectory, 1, "mvwatvx.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01729   432   NtClose  (280, ... ) == 0x0
 01730   432   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01731   432   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01732   432   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01733   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01734   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01735   432   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01736   432   NtClose  (280, ... ) == 0x0
 01737   432   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01738   432   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\mvwatvx.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   432   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01740   432   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01741   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 1237944, ... ) }, 1237944, ... ) == 0x0
 01742   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01743   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1237304, 616, BothDirectory, 1,  (280, 0, 0, 0, 1237304, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01744   432   NtClose  (280, ... ) == 0x0
 01745   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01746   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1237304, 616, BothDirectory, 1,  (280, 0, 0, 0, 1237304, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01747   432   NtClose  (280, ... ) == 0x0
 01748   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01749   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1237304, 616, BothDirectory, 1,  (280, 0, 0, 0, 1237304, 616, BothDirectory, 1, "mvwatvx.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01750   432   NtClose  (280, ... ) == 0x0
 01751   432   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01752   432   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01753   432   NtWaitForSingleObject  (264, 0, {-1000000, -1}, ... ) == 0x0
 01754   432   NtQueryVolumeInformationFile  (260, 1238588, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01755   432   NtQueryInformationFile  (260, 1238568, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01756   432   NtQueryInformationFile  (260, 1238608, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01757   432   NtReleaseMutant  (264, ... 0x0, ) == 0x0
 01758   432   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 01759   432   NtClose  (276, ... ) == 0x0
 01760   432   NtClose  (272, ... ) == 0x0
 01761   432   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01762   432   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mvwatvx.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   432   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01764   432   NtOpenProcessToken  (-1, 0xa, ... 272, ) == 0x0
 01765   432   NtQueryInformationToken  (272, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01766   432   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01768   432   NtQueryValueKey  (276,  (276, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (276, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01769   432   NtQueryValueKey  (276,  (276, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (276, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01770   432   NtClose  (276, ... ) == 0x0
 01771   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01772   432   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01773   432   NtQueryValueKey  (276,  (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (276, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01774   432   NtClose  (276, ... ) == 0x0
 01775   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01777   432   NtQueryValueKey  (276,  (276, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   432   NtClose  (276, ... ) == 0x0
 01779   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01780   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01781   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01782   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01783   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01784   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01785   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01786   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01787   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01788   432   NtQueryDefaultLocale  (1, 1239400, ... ) == 0x0
 01789   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 276, ) }, ... 276, ) == 0x0
 01790   432   NtEnumerateKey  (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (276, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01791   432   NtOpenKey  (0x20019, {24, 276, 0x40, 0, 0,  (0x20019, {24, 276, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 280, ) }, ... 280, ) == 0x0
 01792   432   NtQueryValueKey  (280,  (280, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (280, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01793   432   NtQueryValueKey  (280,  (280, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (280, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01794   432   NtClose  (280, ... ) == 0x0
 01795   432   NtEnumerateKey  (276, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01796   432   NtClose  (276, ... ) == 0x0
 01797   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01800   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01804   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01806   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01807   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01809   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01811   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01812   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01813   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01814   432   NtClose  (276, ... ) == 0x0
 01815   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01817   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01818   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01819   432   NtClose  (276, ... ) == 0x0
 01820   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01821   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01822   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01823   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01824   432   NtClose  (276, ... ) == 0x0
 01825   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01827   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01828   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01829   432   NtClose  (276, ... ) == 0x0
 01830   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01831   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01832   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01833   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01834   432   NtClose  (276, ... ) == 0x0
 01835   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01837   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01838   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01839   432   NtClose  (276, ... ) == 0x0
 01840   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01842   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01843   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01844   432   NtClose  (276, ... ) == 0x0
 01845   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01847   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01848   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01849   432   NtClose  (276, ... ) == 0x0
 01850   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01852   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01853   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01854   432   NtClose  (276, ... ) == 0x0
 01855   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01857   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01858   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01859   432   NtClose  (276, ... ) == 0x0
 01860   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01862   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01863   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01864   432   NtClose  (276, ... ) == 0x0
 01865   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01866   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01867   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01868   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01869   432   NtClose  (276, ... ) == 0x0
 01870   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01872   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01873   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01874   432   NtClose  (276, ... ) == 0x0
 01875   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01877   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01878   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01879   432   NtClose  (276, ... ) == 0x0
 01880   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01882   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01883   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01884   432   NtClose  (276, ... ) == 0x0
 01885   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01887   432   NtQueryValueKey  (276,  (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (276, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01888   432   NtClose  (276, ... ) == 0x0
 01889   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01890   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01891   432   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01892   432   NtClose  (276, ... ) == 0x0
 01893   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894   432   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01895   432   NtOpenProcessToken  (-1, 0xa, ... 276, ) == 0x0
 01896   432   NtDuplicateToken  (276, 0xc, {24, 0, 0x0, 0, 1239920, 0x0}, 0, 2, ... 280, ) == 0x0
 01897   432   NtClose  (276, ... ) == 0x0
 01898   432   NtAccessCheck  (1379472, 280, 0x1, 1240048, 1239992, 56, 1240076, ... (0x1), ) == 0x0
 01899   432   NtClose  (280, ... ) == 0x0
 01900   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 280, ) }, ... 280, ) == 0x0
 01901   432   NtQueryValueKey  (280,  (280, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (280, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01902   432   NtClose  (280, ... ) == 0x0
 01903   432   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 280, ) }, ... 280, ) == 0x0
 01904   432   NtQuerySymbolicLinkObject  (280, ...  (280, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01905   432   NtClose  (280, ... ) == 0x0
 01906   432   NtQueryInformationFile  (260, 1238380, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 01907   432   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01908   432   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01909   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mvwatvx.exe"}, 1237060, ... ) }, 1237060, ... ) == 0x0
 01910   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01911   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236420, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01912   432   NtClose  (280, ... ) == 0x0
 01913   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01914   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236420, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01915   432   NtClose  (280, ... ) == 0x0
 01916   432   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 280, {status=0x0, info=1}, ) }, 3, 16417, ... 280, {status=0x0, info=1}, ) == 0x0
 01917   432   NtQueryDirectoryFile  (280, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (280, 0, 0, 0, 1236420, 616, BothDirectory, 1, "mvwatvx.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01918   432   NtClose  (280, ... ) == 0x0
 01919   432   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01920   432   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01921   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01922   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01923   432   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01924   432   NtClose  (280, ... ) == 0x0
 01925   432   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 280, ) }, ... 280, ) == 0x0
 01926   432   NtOpenKey  (0x20019, {24, 280, 0x40, 0, 0,  (0x20019, {24, 280, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 276, ) }, ... 276, ) == 0x0
 01927   432   NtClose  (280, ... ) == 0x0
 01928   432   NtQueryValueKey  (276,  (276, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01929   432   NtQueryValueKey  (276,  (276, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (276, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01930   432   NtClose  (276, ... ) == 0x0
 01931   432   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 11206656, 4096, ) == 0x0
 01932   432   NtAllocateVirtualMemory  (-1, 11206656, 0, 4096, 4096, 4, ... 11206656, 4096, ) == 0x0
 01933   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 276, ) }, ... 276, ) == 0x0
 01934   432   NtQueryValueKey  (276,  (276, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   432   NtClose  (276, ... ) == 0x0
 01936   432   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01937   432   NtQueryInformationToken  (272, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01938   432   NtQueryInformationToken  (272, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01939   432   NtClose  (272, ... ) == 0x0
 01940   432   NtCreateProcessEx  (1242656, 2035711, 0, -1, 0, 256, 0, 0, 0, ... ) == 0x0
 01941   432   NtQueryInformationProcess  (272, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=428,}, 0x0, ) == 0x0
 01942   432   NtReadVirtualMemory  (272, 0x7ffdf008, 4, ...  (272, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01943   432   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mvwatvx.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01944   432   NtReadVirtualMemory  (272, 0x400000, 4096, ...  (272, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\^\375\16\30?\223]\30?\223]\30?\223]\137\372]\32?\223]\353\234]8?\223]\353\314]\210?\223]\3330\314]\34?\223]\353\363]\16?\223]\360 \231]\31?\223]\3330\316]\11?\223]\30?\222]\304?\223]\353\360]%?\223]\353\311]\31?\223]Rich\30?\223]\0\0\0\0\0\0\0\0PE\0\0L\1\3\0W\236\F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0r\2\0\0\4\1\0\0\0\0\0\0\240\3\0\0\20\0\0\0\220\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\227\6\4\0\0\0\0\0\0\0\0P\6\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0]\257\3\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\15\3\0H\0\0\0\0\0\0\0\0\0\0\0\0\220\2\0\4\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\220\3\0", 4096, ) , 4096, ) == 0x0
 01945   432   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01946   432   NtQueryInformationProcess  (272, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=428,}, 0x0, ) == 0x0
 01947   432   NtAllocateVirtualMemory  (-1, 0, 0, 1664, 4096, 4, ... 11272192, 4096, ) == 0x0
 01948   432   NtAllocateVirtualMemory  (272, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01949   432   NtWriteVirtualMemory  (272, 0x10000,  (272, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01950   432   NtAllocateVirtualMemory  (272, 0, 0, 1664, 4096, 4, ... 131072, 4096, ) == 0x0
 01951   432   NtWriteVirtualMemory  (272, 0x20000,  (272, 0x20000, "\0\20\0\0\200\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0>\0@\0\230\5\0\0B\0D\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\0@\0\34\6\0\0\36\0 \0\\6\0\0\0\0\2\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1664, ... 0x0, ) , 1664, ... 0x0, ) == 0x0
 01952   432   NtWriteVirtualMemory  (272, 0x7ffdf010,  (272, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01953   432   NtWriteVirtualMemory  (272, 0x7ffdf1e8,  (272, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01954   432   NtFreeVirtualMemory  (-1, (0xac0000), 0, 32768, ... (0xac0000), 4096, ) == 0x0
 01955   432   NtAllocateVirtualMemory  (272, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01956   432   NtAllocateVirtualMemory  (272, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01957   432   NtProtectVirtualMemory  (272, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01958   432   NtCreateThread  (0x1f03ff, 0x0, 272, 1240920, 1241640, 1, ... 276, {584, 576}, ) == 0x0
 01959   432   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1372256, 1242740}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1372256, 1242740} "\0\0\0\0\0\0\1\0\2$\370w U\367w\23\1\0\0\24\1\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0W\0S\0\\0S\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 428, 432, 1521, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\20\1\0\0\24\1\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0W\0S\0\\0S\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 428, 432, 1521, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1372256, 1242740} "\0\0\0\0\0\0\1\0\2$\370w U\367w\23\1\0\0\24\1\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0W\0S\0\\0S\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 428, 432, 1521, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\20\1\0\0\24\1\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0W\0S\0\\0S\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01960   432   NtResumeThread  (276, ... 1, ) == 0x0
 01961   432   NtClose  (260, ... ) == 0x0
 01962   432   NtClose  (256, ... ) == 0x0
 01963   432   NtClose  (272, ... ) == 0x0
 01964   432   NtClose  (276, ... ) == 0x0
 01965   432   NtClose  (220, ... ) == 0x0
 01966   432   NtClose  (212, ... ) == 0x0
 01967   432   NtClose  (208, ... ) == 0x0
 01968   432   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 01969   432   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 01970   432   NtClose  (204, ... ) == 0x0
 01971   432   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 01972   432   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 01973   432   NtClose  (200, ... ) == 0x0
 01974   432   NtClose  (196, ... ) == 0x0
 01975   432   NtClose  (192, ... ) == 0x0
 01976   432   NtTerminateProcess  (0, 0, ...
 01497   572   NtDelayExecution  ... ) == 0xc0
 01976   432   NtTerminateProcess  ... ) == 0x0
 01977   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 01978   432   NtGdiDeleteObjectApp  (1309672426, ... ) == 0x1
 01979   432   NtUserGetProcessWindowStation  (... ) == 0x2c
 01980   432   NtUserBuildNameList  (44, 256, 1356464, 1244196, ... ) == 0x0
 01981   432   NtUserGetProcessWindowStation  (... ) == 0x2c
 01982   432   NtUserOpenDesktop  ({24, 44, 0x40, 0, 0,  ({24, 44, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xd8
 01983   432   NtUserBuildHwndList  (216, 0, 0, 0, 64, ... (0x100ac, 0x60036, 0x20060, 0x2005c, 0x100a2, 0x10080, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x10066, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x200b4, 0x100c2, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b2, 0x100b0, 0x2005e, 0x100ae, 0x100a4, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10084, 0x10078, 0x1, ), 35, ) == 0x0
 01984   432   NtUserQueryWindow  (65708, 0, ... ) == 0xbc
 01985   432   NtUserQueryWindow  (65708, 1, ... ) == 0xc0
 01986   432   NtUserQueryWindow  (393270, 0, ... ) == 0xbc
 01987   432   NtUserQueryWindow  (393270, 1, ... ) == 0xc0
 01988   432   NtUserQueryWindow  (131168, 0, ... ) == 0xbc
 01989   432   NtUserQueryWindow  (131168, 1, ... ) == 0xc0
 01990   432   NtUserQueryWindow  (131164, 0, ... ) == 0xbc
 01991   432   NtUserQueryWindow  (131164, 1, ... ) == 0xc0
 01992   432   NtUserQueryWindow  (65698, 0, ... ) == 0x7c0
 01993   432   NtUserQueryWindow  (65698, 1, ... ) == 0x7d4
 01994   432   NtUserQueryWindow  (65664, 0, ... ) == 0x7c0
 01995   432   NtUserQueryWindow  (65664, 1, ... ) == 0x7d4
 01996   432   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x10088, 0x1008a, 0x1008c, 0x10090, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009c, 0x1009e, 0x100a0, 0x1, ), 13, ) == 0x0
 01997   432   NtUserQueryWindow  (65666, 0, ... ) == 0x7c0
 01998   432   NtUserQueryWindow  (65666, 1, ... ) == 0x7d4
 01999   432   NtUserQueryWindow  (65672, 0, ... ) == 0x7c0
 02000   432   NtUserQueryWindow  (65672, 1, ... ) == 0x7d4
 02001   432   NtUserQueryWindow  (65674, 0, ... ) == 0x7c0
 02002   432   NtUserQueryWindow  (65674, 1, ... ) == 0x7d4
 02003   432   NtUserQueryWindow  (65676, 0, ... ) == 0x7c0
 02004   432   NtUserQueryWindow  (65676, 1, ... ) == 0x7d4
 02005   432   NtUserQueryWindow  (65680, 0, ... ) == 0x7c0
 02006   432   NtUserQueryWindow  (65680, 1, ... ) == 0x7d4
 02007   432   NtUserQueryWindow  (65682, 0, ... ) == 0x7c0
 02008   432   NtUserQueryWindow  (65682, 1, ... ) == 0x7d4
 02009   432   NtUserQueryWindow  (65684, 0, ... ) == 0x7c0
 02010   432   NtUserQueryWindow  (65684, 1, ... ) == 0x7d4
 02011   432   NtUserQueryWindow  (65686, 0, ... ) == 0x7c0
 02012   432   NtUserQueryWindow  (65686, 1, ... ) == 0x7d4
 02013   432   NtUserQueryWindow  (65688, 0, ... ) == 0x7c0
 02014   432   NtUserQueryWindow  (65688, 1, ... ) == 0x7d4
 02015   432   NtUserQueryWindow  (65692, 0, ... ) == 0x7c0
 02016   432   NtUserQueryWindow  (65692, 1, ... ) == 0x7d4
 02017   432   NtUserQueryWindow  (65694, 0, ... ) == 0x7c0
 02018   432   NtUserQueryWindow  (65694, 1, ... ) == 0x7d4
 02019   432   NtUserQueryWindow  (65696, 0, ... ) == 0x7c0
 02020   432   NtUserQueryWindow  (65696, 1, ... ) == 0x7d4
 02021   432   NtUserQueryWindow  (65654, 0, ... ) == 0x7c0
 02022   432   NtUserQueryWindow  (65654, 1, ... ) == 0x7d4
 02023   432   NtUserQueryWindow  (65642, 0, ... ) == 0x7c0
 02024   432   NtUserQueryWindow  (65642, 1, ... ) == 0x7d4
 02025   432   NtUserQueryWindow  (196684, 0, ... ) == 0x7c0
 02026   432   NtUserQueryWindow  (196684, 1, ... ) == 0x7d4
 02027   432   NtUserQueryWindow  (65640, 0, ... ) == 0x7c0
 02028   432   NtUserQueryWindow  (65640, 1, ... ) == 0x7d4
 02029   432   NtUserQueryWindow  (65638, 0, ... ) == 0x7c0
 02030   432   NtUserQueryWindow  (65638, 1, ... ) == 0x7d4
 02031   432   NtUserQueryWindow  (196670, 0, ... ) == 0x7c0
 02032   432   NtUserQueryWindow  (196670, 1, ... ) == 0x7d4
 02033   432   NtUserBuildHwndList  (0, 196670, 1, 0, 64, ... (0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x3004a, 0x1006c, 0x10070, 0x10074, 0x1, ), 10, ) == 0x0
 02034   432   NtUserQueryWindow  (196674, 0, ... ) == 0x7c0
 02035   432   NtUserQueryWindow  (196674, 1, ... ) == 0x7d4
 02036   432   NtUserQueryWindow  (196672, 0, ... ) == 0x7c0
 02037   432   NtUserQueryWindow  (196672, 1, ... ) == 0x7d4
 02038   432   NtUserQueryWindow  (196676, 0, ... ) == 0x7c0
 02039   432   NtUserQueryWindow  (196676, 1, ... ) == 0x7d4
 02040   432   NtUserQueryWindow  (196678, 0, ... ) == 0x7c0
 02041   432   NtUserQueryWindow  (196678, 1, ... ) == 0x7d4
 02042   432   NtUserQueryWindow  (196680, 0, ... ) == 0x7c0
 02043   432   NtUserQueryWindow  (196680, 1, ... ) == 0x7d4
 02044   432   NtUserQueryWindow  (196682, 0, ... ) == 0x7c0
 02045   432   NtUserQueryWindow  (196682, 1, ... ) == 0x7d4
 02046   432   NtUserQueryWindow  (65644, 0, ... ) == 0x7c0
 02047   432   NtUserQueryWindow  (65644, 1, ... ) == 0x7d4
 02048   432   NtUserQueryWindow  (65648, 0, ... ) == 0x7c0
 02049   432   NtUserQueryWindow  (65648, 1, ... ) == 0x7d4
 02050   432   NtUserQueryWindow  (65652, 0, ... ) == 0x7c0
 02051   432   NtUserQueryWindow  (65652, 1, ... ) == 0x7d4
 02052   432   NtUserQueryWindow  (65690, 0, ... ) == 0x7c0
 02053   432   NtUserQueryWindow  (65690, 1, ... ) == 0x7d4
 02054   432   NtUserQueryWindow  (65678, 0, ... ) == 0x7c0
 02055   432   NtUserQueryWindow  (65678, 1, ... ) == 0x7d4
 02056   432   NtUserQueryWindow  (65662, 0, ... ) == 0x7c0
 02057   432   NtUserQueryWindow  (65662, 1, ... ) == 0x7c4
 02058   432   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02059   432   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 02060   432   NtUserRemoveProp  (131252, 43285, ... ) == 0x0
 02061   432   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 02062   432   NtClose  (228, ... ) == 0x0
 02063   432   NtUserRemoveProp  (131252, 43288, ... ) == 0x324440
 02064   432   NtUserRemoveProp  (131252, 43282, ... ) == 0x0
 02065   432   NtUserQueryWindow  (65730, 0, ... ) == 0xc8
 02066   432   NtUserQueryWindow  (65730, 1, ... ) == 0xb4
 02067   432   NtUserQueryWindow  (65728, 0, ... ) == 0xc8
 02068   432   NtUserQueryWindow  (65728, 1, ... ) == 0xb4
 02069   432   NtUserQueryWindow  (65726, 0, ... ) == 0xc8
 02070   432   NtUserQueryWindow  (65726, 1, ... ) == 0xb4
 02071   432   NtUserQueryWindow  (65724, 0, ... ) == 0xc8
 02072   432   NtUserQueryWindow  (65724, 1, ... ) == 0xb4
 02073   432   NtUserQueryWindow  (65722, 0, ... ) == 0xc8
 02074   432   NtUserQueryWindow  (65722, 1, ... ) == 0xb4
 02075   432   NtUserQueryWindow  (65720, 0, ... ) == 0xc8
 02076   432   NtUserQueryWindow  (65720, 1, ... ) == 0xb4
 02077   432   NtUserQueryWindow  (65714, 0, ... ) == 0xc8
 02078   432   NtUserQueryWindow  (65714, 1, ... ) == 0xb4
 02079   432   NtUserQueryWindow  (65712, 0, ... ) == 0xc8
 02080   432   NtUserQueryWindow  (65712, 1, ... ) == 0xb4
 02081   432   NtUserQueryWindow  (131166, 0, ... ) == 0xd8
 02082   432   NtUserQueryWindow  (131166, 1, ... ) == 0xdc
 02083   432   NtUserQueryWindow  (65710, 0, ... ) == 0xbc
 02084   432   NtUserQueryWindow  (65710, 1, ... ) == 0xc0
 02085   432   NtUserQueryWindow  (65700, 0, ... ) == 0xb0
 02086   432   NtUserQueryWindow  (65700, 1, ... ) == 0xb8
 02087   432   NtUserQueryWindow  (65646, 0, ... ) == 0x7c0
 02088   432   NtUserQueryWindow  (65646, 1, ... ) == 0x7f0
 02089   432   NtUserQueryWindow  (327760, 0, ... ) == 0x7c0
 02090   432   NtUserQueryWindow  (327760, 1, ... ) == 0x7c4
 02091   432   NtUserQueryWindow  (262228, 0, ... ) == 0x7c0
 02092   432   NtUserQueryWindow  (262228, 1, ... ) == 0x7c4
 02093   432   NtUserQueryWindow  (327758, 0, ... ) == 0x7c0
 02094   432   NtUserQueryWindow  (327758, 1, ... ) == 0x7c4
 02095   432   NtUserQueryWindow  (65668, 0, ... ) == 0x7c0
 02096   432   NtUserQueryWindow  (65668, 1, ... ) == 0x7c4
 02097   432   NtUserQueryWindow  (65656, 0, ... ) == 0x7c0
 02098   432   NtUserQueryWindow  (65656, 1, ... ) == 0x7c4
 02099   432   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x1007c, 0x1, ), 3, ) == 0x0
 02100   432   NtUserQueryWindow  (65658, 0, ... ) == 0x7c0
 02101   432   NtUserQueryWindow  (65658, 1, ... ) == 0x7c4
 02102   432   NtUserQueryWindow  (65660, 0, ... ) == 0x7c0
 02103   432   NtUserQueryWindow  (65660, 1, ... ) == 0x7c4
 02104   432   NtUserCloseDesktop  (216, ...
 02105   432   NtClose  (216, ... ) == 0x0
 02104   432   NtUserCloseDesktop  ... ) == 0x1
 02106   432   NtUserGetProcessWindowStation  (... ) == 0x2c
 02107   432   NtUserOpenDesktop  ({24, 44, 0x40, 0, 0,  ({24, 44, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02108   432   NtUserGetProcessWindowStation  (... ) == 0x2c
 02109   432   NtUserOpenDesktop  ({24, 44, 0x40, 0, 0,  ({24, 44, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02110   432   NtGdiDeleteObjectApp  (168428548, ... ) == 0x1
 02111   432   NtGdiDeleteObjectApp  (1057620866, ... ) == 0x1
 02112   432   NtClose  (224, ... ) == 0x0
 02113   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02114   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc03b
 02115   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02116   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc03d
 02117   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02118   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc03f
 02119   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02120   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc041
 02121   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02122   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc043
 02123   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02124   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc045
 02125   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02126   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc047
 02127   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02128   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc049
 02129   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02130   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc04b
 02131   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02132   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc04d
 02133   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02134   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc04f
 02135   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02136   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc051
 02137   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02138   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc053
 02139   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02140   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc057
 02141   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02142   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc059
 02143   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02144   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc05b
 02145   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02146   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc05d
 02147   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02148   432   NtUserGetClassInfo  (1999896576, 1244244, 1244196, 1244272, 0, ... ) == 0xc05f
 02149   432   NtUserUnregisterClass  (1244248, 1999896576, 1244236, ... ) == 0x1
 02150   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc03b
 02151   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02152   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc03d
 02153   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02154   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc03f
 02155   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02156   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc041
 02157   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02158   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc043
 02159   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02160   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc045
 02161   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02162   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc047
 02163   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02164   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc049
 02165   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02166   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc04b
 02167   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02168   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc04d
 02169   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02170   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc04f
 02171   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02172   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc051
 02173   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02174   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc053
 02175   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02176   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc057
 02177   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02178   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc059
 02179   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02180   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc05b
 02181   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02182   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc05d
 02183   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02184   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc05f
 02185   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02186   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc017
 02187   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02188   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc019
 02189   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02190   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc018
 02191   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02192   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc01a
 02193   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02194   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc01c
 02195   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02196   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc01e
 02197   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02198   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc01b
 02199   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02200   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc068
 02201   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02202   432   NtUserGetClassInfo  (1905590272, 1244244, 1244196, 1244272, 0, ... ) == 0xc06a
 02203   432   NtUserUnregisterClass  (1244248, 1905590272, 1244236, ... ) == 0x1
 02204   432   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02205   432   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 65536, ) == 0x0
 02206   432   NtClose  (156, ... ) == 0x0
 02207   432   NtClose  (160, ... ) == 0x0
 02208   432   NtClose  (168, ... ) == 0x0
 02209   432   NtClose  (164, ... ) == 0x0
 02210   432   NtClose  (172, ... ) == 0x0
 02211   432   NtClose  (148, ... ) == 0x0
 02212   432   NtClose  (152, ... ) == 0x0
 02213   432   NtClose  (188, ... ) == 0x0
 02214   432   NtClose  (184, ... ) == 0x0
 02215   432   NtClose  (180, ... ) == 0x0
 02216   432   NtClose  (176, ... ) == 0x0
 02217   432   NtClose  (144, ... ) == 0x0
 02218   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02219   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02220   432   NtClose  (128, ... ) == 0x0
 02221   432   NtClose  (136, ... ) == 0x0
 02222   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02223   432   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02224   432   NtClose  (132, ... ) == 0x0
 02225   432   NtClose  (116, ... ) == 0x0
 02226   432   NtClose  (112, ... ) == 0x0
 02227   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02228   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02229   432   NtClose  (100, ... ) == 0x0
 02230   432   NtClose  (96, ... ) == 0x0
 02231   432   NtClose  (84, ... ) == 0x0
 02232   432   NtClose  (88, ... ) == 0x0
 02233   432   NtClose  (92, ... ) == 0x0
 02234   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02235   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02236   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02237   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02238   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02239   432   NtWaitForMultipleObjects  (2, (60, 64, ), 1, 0, 0x0, ... ) == 0x1
 02240   432   NtClose  (64, ... ) == 0x0
 02241   432   NtSetEvent  (60, ... 0x0, ) == 0x0
 02242   432   NtClose  (60, ... ) == 0x0
 02243   432   NtWaitForMultipleObjects  (2, (68, 72, ), 1, 0, 0x0, ... ) == 0x1
 02244   432   NtClose  (72, ... ) == 0x0
 02245   432   NtSetEvent  (68, ... 0x0, ) == 0x0
 02246   432   NtClose  (68, ... ) == 0x0
 02247   432   NtWaitForMultipleObjects  (2, (76, 80, ), 1, 0, 0x0, ... ) == 0x1
 02248   432   NtClose  (80, ... ) == 0x0
 02249   432   NtSetEvent  (76, ... 0x0, ) == 0x0
 02250   432   NtClose  (76, ... ) == 0x0
 02251   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02252   432   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02253   432   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 262144, ) == 0x0
 02254   432   NtUserUnregisterClass  (1244156, 1991376896, 1244144, ... ) == 0x0
 02255   432   NtFreeVirtualMemory  (-1, (0xab0000), 4096, 32768, ... (0xab0000), 4096, ) == 0x0
 02256   432   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 4424148, 1356424, 4063608, 4080648}  (24, {20, 48, new_msg, 0, 4424148, 1356424, 4063608, 4080648} "\0\0\0\0\3\0\1\0\310\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 428, 432, 1540, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 428, 432, 1540, 0}  (24, {20, 48, new_msg, 0, 4424148, 1356424, 4063608, 4080648} "\0\0\0\0\3\0\1\0\310\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 428, 432, 1540, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02257   432   NtTerminateProcess  (-1, 0, ...
 02258   432   NtClose  (48, ... ) == 0x0
NtAddAtom(>)	1	NtDelayExecution(>)	2	NtUserOpenDesktop(>)	3	NtRequestWaitReplyPort(>)	16
NtConnectPort(>)	1	NtDuplicateObject(>)	2	NtWaitForMultipleObjects(>)	3	NtUnmapViewOfSection(>)	16
NtCreateKey(>)	1	NtEnumerateKey(>)	2	NtWriteFile(>)	3	NtQueryDefaultLocale(>)	17
NtCreateProcessEx(>)	1	NtGdiCreatePatternBrushInternal(>)	2	NtGdiDeleteObjectApp(>)	4	NtProtectVirtualMemory(>)	19
NtDuplicateToken(>)	1	NtGdiCreateSolidBrush(>)	2	NtReleaseMutant(>)	4	NtUserGetWindowDC(>)	19
NtEnumerateValueKey(>)	1	NtGdiHfontCreate(>)	2	NtUserBuildHwndList(>)	4	NtCreateEvent(>)	21
NtFsControlFile(>)	1	NtNotifyChangeKey(>)	2	NtUserGetObjectInformation(>)	4	NtQuerySystemInformation(>)	23
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtUserRegisterWindowMessage(>)	4	NtUserCallOneParam(>)	23
NtGdiInit(>)	1	NtOpenEvent(>)	2	NtUserRemoveProp(>)	4	NtOpenProcessTokenEx(>)	27
NtGdiQueryFontAssocInfo(>)	1	NtOpenSymbolicLinkObject(>)	2	NtWriteVirtualMemory(>)	4	NtOpenThreadTokenEx(>)	27
NtGdiSelectBitmap(>)	1	NtOpenThreadToken(>)	2	NtGdiGetStockObject(>)	5	NtQuerySection(>)	29
NtOpenKeyedEvent(>)	1	NtQueryInstallUILanguage(>)	2	NtOpenProcessToken(>)	5	NtFreeVirtualMemory(>)	30
NtOpenProcess(>)	1	NtQuerySymbolicLinkObject(>)	2	NtCreateSemaphore(>)	6	NtQueryInformationToken(>)	33
NtQueryInformationJobObject(>)	1	NtReadVirtualMemory(>)	2	NtDeviceIoControlFile(>)	6	NtCreateSection(>)	39
NtQueryInformationThread(>)	1	NtRegisterThreadTerminatePort(>)	2	NtQueryVolumeInformationFile(>)	6	NtOpenSection(>)	46
NtQueryObject(>)	1	NtResumeThread(>)	2	NtSetInformationProcess(>)	6	NtUserUnregisterClass(>)	46
NtQueryPerformanceCounter(>)	1	NtTestAlert(>)	2	NtUserGetProcessWindowStation(>)	6	NtUserFindExistingCursorIcon(>)	48
NtQueryTimerResolution(>)	1	NtUserCloseDesktop(>)	2	NtWaitForSingleObject(>)	6	NtQueryVirtualMemory(>)	52
NtSecureConnectPort(>)	1	NtUserCreateWindowEx(>)	2	NtUserCallNoParam(>)	7	NtOpenFile(>)	54
NtUserBuildNameList(>)	1	NtUserGetClassName(>)	2	NtFlushInstructionCache(>)	8	NtMapViewOfSection(>)	59
NtUserGetAncestor(>)	1	NtUserGetGUIThreadInfo(>)	2	NtQueryDefaultUILanguage(>)	8	NtUserRegisterClassExWOW(>)	64
NtUserGetDC(>)	1	NtUserGetThreadDesktop(>)	2	NtQueryDirectoryFile(>)	10	NtUserGetClassInfo(>)	82
NtUserGetThreadState(>)	1	NtUserMessageCall(>)	2	NtUserSystemParametersInfo(>)	11	NtQueryAttributesFile(>)	95
NtUserSetProp(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryInformationProcess(>)	12	NtAllocateVirtualMemory(>)	103
NtUserSetWindowPos(>)	1	NtOpenMutant(>)	3	NtCreateMutant(>)	14	NtUserQueryWindow(>)	112
NtAccessCheck(>)	2	NtSetEvent(>)	3	NtQueryInformationFile(>)	14	NtOpenKey(>)	148
NtCallbackReturn(>)	2	NtSetInformationFile(>)	3	NtCreateFile(>)	15	NtQueryValueKey(>)	231
NtContinue(>)	2	NtSetInformationObject(>)	3	NtSetInformationThread(>)	15	NtUserGetAsyncKeyState(>)	246
NtCreateThread(>)	2	NtTerminateProcess(>)	3	NtQueryDebugFilterState(>)	16	NtClose(>)	272