Summary:


NtAddAtom(>)  1 
NtUserGetObjectInformation(>)  1 
NtOpenEvent(>)  4 
NtCreateEvent(>)  26 

NtAdjustPrivilegesToken(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtQueryPerformanceCounter(>)  4 
NtFreeVirtualMemory(>)  28 

NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtOpenProcess(>)  29 

NtCreateThread(>)  1 
NtAccessCheck(>)  2 
NtFsControlFile(>)  5 
NtOpenFile(>)  30 

NtEnumerateValueKey(>)  1 
NtContinue(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  31 

NtGdiCreateBitmap(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  5 
NtUserFindExistingCursorIcon(>)  34 

NtGdiInit(>)  1 
NtEnumerateKey(>)  2 
NtSetInformationFile(>)  5 
NtRequestWaitReplyPort(>)  39 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtUserRegisterClassExWOW(>)  42 

NtGdiSelectBitmap(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtQueryVirtualMemory(>)  54 

NtOpenKeyedEvent(>)  1 
NtOpenDirectoryObject(>)  2 
NtWaitForSingleObject(>)  6 
NtOpenSection(>)  57 

NtOpenSymbolicLinkObject(>)  1 
NtOpenThreadToken(>)  2 
NtCreateMutant(>)  7 
NtCreateSection(>)  76 

NtQueryInstallUILanguage(>)  1 
NtQueryKey(>)  2 
NtQueryInformationProcess(>)  7 
NtQueryAttributesFile(>)  77 

NtQueryObject(>)  1 
NtReadFile(>)  2 
NtUserSystemParametersInfo(>)  7 
NtQuerySystemInformation(>)  82 

NtQuerySymbolicLinkObject(>)  1 
NtUserRegisterWindowMessage(>)  2 
NtQueryDebugFilterState(>)  8 
NtUnmapViewOfSection(>)  82 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  2 
NtSetValueKey(>)  8 
NtAllocateVirtualMemory(>)  95 

NtRegisterThreadTerminatePort(>)  1 
NtWriteFile(>)  2 
NtOpenProcessTokenEx(>)  9 
NtFlushInstructionCache(>)  101 

NtResumeThread(>)  1 
NtCreateSemaphore(>)  3 
NtOpenThreadTokenEx(>)  9 
NtWriteVirtualMemory(>)  116 

NtSecureConnectPort(>)  1 
NtDelayExecution(>)  3 
NtQueryInformationFile(>)  9 
NtMapViewOfSection(>)  142 

NtSetInformationProcess(>)  1 
NtDuplicateObject(>)  3 
NtCreateKey(>)  11 
NtOpenKey(>)  190 

NtTestAlert(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationToken(>)  12 
NtQueryValueKey(>)  256 

NtUserCallNoParam(>)  1 
NtQueryDefaultLocale(>)  3 
NtQuerySection(>)  13 
NtProtectVirtualMemory(>)  319 

NtUserCallOneParam(>)  1 
NtSetInformationThread(>)  3 
NtQueryDirectoryFile(>)  14 
NtClose(>)  379 

NtUserGetDC(>)  1 
NtConnectPort(>)  4 
NtDeviceIoControlFile(>)  24 

Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147481368, {status=0x0, info=1}, ) }, 0, 32, ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147481368, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147481368, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147481368, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147481368, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147481368, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147481368, 0, 0x0, 0x0, 0x90120,  (-2147481368, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147481480, ) == 0x0
 00059   896   NtClose  (-2147481480, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482136, ) == 0x0
 00061   896   NtClose  (-2147482136, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147482748, ) == 0x0
 00063   896   NtClose  (-2147482748, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482748, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147481480, ... ) == 0x0
 00105   896   NtClose  (-2147482136, ... ) == 0x0
 00106   896   NtClose  (-2147482748, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147482748, ) == 0x0
 00145   896   NtClose  (-2147482748, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482748, ... -2147482136, ) == 0x0
 00147   896   NtClose  (-2147482136, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147481480, ) == 0x0
 00149   896   NtClose  (-2147481480, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147482748, ... ) == 0x0
 00178   896   NtClose  (-2147482136, ... ) == 0x0
 00179   896   NtClose  (-2147481480, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147481368, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 8, ) }, ... 8, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) }, ... 12, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) }, ... 16, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (16, ...  (16, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (16, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 16, {status=0x0, info=1}, ) }, 3, 33, ... 16, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (16, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "kernel32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00204   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (20, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 20, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 28, {24, 20, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 28, {24, 20, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (20, ... ) == 0x0
 00215   896   NtQueryObject  (28, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 20, ) }, ... 20, ) == 0x0
 00224   896   NtQueryValueKey  (20,  (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (20, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 20, ) }, ... 20, ) == 0x0
 00227   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (20, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 20, ) }, ... 20, ) == 0x0
 00231   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (20, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 20, ) }, ... 20, ) == 0x0
 00234   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (20, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (20, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 20, ) }, ... 20, ) == 0x0
 00238   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (20, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtWaitForMultipleObjects  (2, (20, 32, ), 1, 0, 0x0, ... ) == 0x0
 00247   896   NtClose  (20, ... ) == 0x0
 00248   896   NtClose  (32, ... ) == 0x0
 00249   896   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0<\0\0\0\0\0" ... {24, 52, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0<\0\0\0\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81834, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0<\0\0\0\0\0" ... {24, 52, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0<\0\0\0\0\0" )  ) == 0x0
 00250   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00251   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00252   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00253   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00254   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00255   896   NtClose  (32, ... ) == 0x0
 00256   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00257   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00258   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00259   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00260   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00261   896   NtClose  (32, ... ) == 0x0
 00262   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00263   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00264   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00265   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00266   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00267   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00268   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00269   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00270   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00271   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00272   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00273   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00274   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00275   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00276   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00277   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ICMP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00279   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ICMP.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   896   NtFsControlFile  (16, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00281   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ICMP.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00282   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ICMP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00283   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00284   896   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00285   896   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00286   896   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00289   896   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00290   896   NtClose  (48, ... ) == 0x0
 00291   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00292   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00293   896   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00294   896   NtClose  (48, ... ) == 0x0
 00295   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   896   NtClose  (44, ... ) == 0x0
 00297   896   NtClose  (32, ... ) == 0x0
 00298   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 00299   896   NtClose  (20, ... ) == 0x0
 00300   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00301   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242264, ... ) }, 1242264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242264, ... ) }, 1242264, ... ) == 0x0
 00304   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00305   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 32, ) == 0x0
 00306   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00307   896   NtClose  (20, ... ) == 0x0
 00308   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00309   896   NtClose  (32, ... ) == 0x0
 00310   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00311   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00312   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00313   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00314   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00315   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00316   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00317   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00318   896   NtClose  (32, ... ) == 0x0
 00319   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00320   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00321   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00322   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00323   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00324   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00325   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00326   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00327   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00328   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "USER32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00329   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00330   896   NtClose  (32, ... ) == 0x0
 00331   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00332   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00333   896   NtClose  (32, ... ) == 0x0
 00334   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00335   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00336   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00337   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00338   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00339   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00340   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00341   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00342   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00343   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00344   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00345   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00346   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00347   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00348   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00349   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00350   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00351   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00352   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00353   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00354   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00355   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 00358   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00359   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00360   896   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00361   896   NtClose  (32, ... ) == 0x0
 00362   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00363   896   NtClose  (20, ... ) == 0x0
 00364   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00365   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00366   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00367   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240660, ... ) }, 1240660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1240660, ... ) }, 1240660, ... ) == 0x0
 00370   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00371   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 32, ) == 0x0
 00372   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00373   896   NtClose  (20, ... ) == 0x0
 00374   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00375   896   NtClose  (32, ... ) == 0x0
 00376   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00377   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00378   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00379   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00380   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00381   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00382   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00383   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00384   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00385   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00386   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00387   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00388   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00389   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00390   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "urlmon.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00391   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42cf0000), 0x0, 1208320, ) == 0x0
 00392   896   NtClose  (32, ... ) == 0x0
 00393   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00394   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00395   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00396   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00397   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00398   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00399   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ole32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00400   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00401   896   NtClose  (32, ... ) == 0x0
 00402   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00403   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00404   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00405   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00406   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00407   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00408   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00409   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00410   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00411   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00412   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00413   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00414   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00415   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00416   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00417   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00418   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00419   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00420   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00421   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00422   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00423   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00424   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00425   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00426   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "OLEAUT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00427   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00428   896   NtClose  (32, ... ) == 0x0
 00429   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00430   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00431   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00432   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00433   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00434   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00435   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00436   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00437   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00438   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00439   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00440   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00441   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00442   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00443   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00444   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00445   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00446   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00447   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00448   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00449   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00450   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00451   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00452   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00453   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00454   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00455   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00456   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "SHLWAPI.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00457   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00458   896   NtClose  (32, ... ) == 0x0
 00459   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00460   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00461   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00462   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00463   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00464   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00465   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00466   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00467   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00468   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00469   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00470   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00471   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00472   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00473   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00474   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00475   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00476   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00477   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00478   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00479   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00480   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00481   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00482   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00483   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00484   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00485   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00486   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "iertutil.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00487   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00488   896   NtClose  (32, ... ) == 0x0
 00489   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00490   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00491   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00492   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00493   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00494   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00495   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00496   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00497   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00498   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00499   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00500   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00501   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00502   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00503   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00504   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00505   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00506   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00507   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00508   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00509   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00510   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00511   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00512   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00513   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00514   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00515   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00516   896   NtProtectVirtualMemory  (-1, (0x40a000), 34158, 4, ... (0x40a000), 36864, 64, ) == 0x0
 00517   896   NtProtectVirtualMemory  (-1, (0x40a000), 36864, 64, ... (0x40a000), 36864, 4, ) == 0x0
 00518   896   NtFlushInstructionCache  (-1, 4235264, 34158, ... ) == 0x0
 00519   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00520   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00521   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00522   896   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00523   896   NtClose  (32, ... ) == 0x0
 00524   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00525   896   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00526   896   NtClose  (32, ... ) == 0x0
 00527   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00530   896   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00531   896   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00532   896   NtClose  (32, ... ) == 0x0
 00533   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00534   896   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   896   NtClose  (32, ... ) == 0x0
 00536   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00537   896   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00538   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00541   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00542   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00543   896   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00544   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1325904}  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1325904} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0 \0\0\0\1\0<\0\3\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0\1\0\0\0\1\0<\0\3\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81835, 0}  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1325904} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0 \0\0\0\1\0<\0\3\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0\1\0\0\0\1\0<\0\3\0\0\0" )  ) == 0x0
 00545   896   NtQueryVolumeInformationFile  (4, 1243360, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00546   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0}  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0} "\0\0\0\0#\2\2\0\340\312\227|\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81836, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81836, 0}  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0} "\0\0\0\0#\2\2\0\340\312\227|\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81836, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" )  ) == 0x0
 00547   896   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00548   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 20, ) }, ... 20, ) == 0x0
 00549   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00550   896   NtClose  (20, ... ) == 0x0
 00551   896   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00552   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00553   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00554   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00555   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00556   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00559   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (28, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81837, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81837, 0}  (28, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81837, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00560   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 20, ) }, ... 20, ) == 0x0
 00561   896   NtQueryValueKey  (20,  (20, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   896   NtClose  (20, ... ) == 0x0
 00563   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00564   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00565   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00566   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 20, ... 44, ) == 0x0
 00567   896   NtClose  (20, ... ) == 0x0
 00568   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00569   896   NtClose  (44, ... ) == 0x0
 00570   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00571   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00572   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00573   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 20, ) == 0x0
 00574   896   NtClose  (44, ... ) == 0x0
 00575   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00576   896   NtClose  (20, ... ) == 0x0
 00577   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00578   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00579   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00580   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 44, ) == 0x0
 00581   896   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00582   896   NtClose  (20, ... ) == 0x0
 00583   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00584   896   NtClose  (44, ... ) == 0x0
 00585   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00586   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00587   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00588   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00589   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00590   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00591   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00592   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00593   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00594   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00596   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00597   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00598   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00599   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00610   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 44, ) }, ... 44, ) == 0x0
 00612   896   NtQueryValueKey  (44,  (44, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   896   NtClose  (44, ... ) == 0x0
 00614   896   NtMapViewOfSection  (-2147481368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00615   896   NtClose  (-2147481368, ... ) == 0x0
 00616   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00617   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00618   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481368, ) == 0x0
 00619   896   NtQueryInformationToken  (-2147481368, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00620   896   NtQueryInformationToken  (-2147481368, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00621   896   NtClose  (-2147481368, ... ) == 0x0
 00622   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00623   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00624   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00625   896   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   896   NtClose  (-2147481368, ... ) == 0x0
 00627   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00628   896   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   896   NtClose  (-2147481368, ... ) == 0x0
 00630   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00631   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00632   896   NtUserCallNoParam  (24, ... ) == 0x0
 00633   896   NtGdiCreateCompatibleDC  (0, ...
 00634   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00633   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00635   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00636   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00637   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00638   896   NtGdiCreateSolidBrush  (0, 0, ...
 00639   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00638   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00640   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00641   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00642   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00643   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x30
 00644   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00645   896   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00646   896   NtClose  (52, ... ) == 0x0
 00647   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00648   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8177c017
 00649   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00650   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8177c01c
 00651   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00652   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8177c01e
 00653   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00654   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81778002
 00655   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00656   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8177c018
 00657   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00658   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8177c01a
 00659   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00660   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8177c01d
 00661   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00662   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8177c026
 00663   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00664   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8177c019
 00665   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c020
 00666   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c022
 00667   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c023
 00668   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c024
 00669   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c025
 00670   896   NtCallbackReturn  (0, 0, 0, ...
 00671   896   NtGdiInit  (... ) == 0x1
 00672   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00673   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00674   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00675   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00676   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00677   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3538944, 65536, ) == 0x0
 00678   896   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00679   896   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ... 3543040, 8192, ) == 0x0
 00680   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) == 0x0
 00681   896   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00682   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 60, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 60, {status=0x0, info=0}, ) == 0x0
 00683   896   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 64, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 64, {status=0x0, info=0}, ) == 0x0
 00684   896   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1243288,  (0x20100080, {24, 0, 0x40, 0, 1243288, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00685   896   NtAllocateVirtualMemory  (-1, 3551232, 0, 36864, 4096, 4, ... 3551232, 36864, ) == 0x0
 00686   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00687   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00688   896   NtClose  (72, ... ) == 0x0
 00689   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00690   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 00691   896   NtClose  (72, ... ) == 0x0
 00692   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00693   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363m\201\1\0\0\0\5\0\0\0\232A\250\25\333\11\241\6]\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1770k\0\340\221\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363m\201\1\0\0\0\5\0\0\0\232A\250\25\333\11\241\6]\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1770k\0\340\221\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 00694   896   NtClose  (72, ... ) == 0x0
 00695   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00696   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00697   896   NtClose  (72, ... ) == 0x0
 00698   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00699   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 00700   896   NtClose  (72, ... ) == 0x0
 00701   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00702   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 00703   896   NtClose  (72, ... ) == 0x0
 00704   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00705   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00706   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00707   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00708   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00709   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00710   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00711   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00712   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00713   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00714   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00715   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00716   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00717   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00718   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00719   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00720   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00721   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00722   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00723   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00724   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00725   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00726   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00727   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00728   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00729   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00730   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00731   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00732   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00733   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00734   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00735   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00736   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00737   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00738   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00739   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00740   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00741   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00742   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00743   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00744   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00745   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00746   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00747   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00748   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00749   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00750   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00751   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00752   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00753   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00754   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00755   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00756   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00757   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00758   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00759   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00760   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00761   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00762   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00763   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00764   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00765   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00766   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00767   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00768   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00769   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00770   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00771   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00772   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00773   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00774   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00775   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00776   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00777   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00778   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00779   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00780   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00781   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00782   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00783   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00784   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00785   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00786   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00787   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00788   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00789   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00790   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00791   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00792   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00793   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00794   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00795   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00796   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00797   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00798   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00799   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00800   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00801   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00802   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00803   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00804   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00805   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00806   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00807   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00808   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00809   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00810   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00811   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00812   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00813   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00814   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00815   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00816   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00817   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00818   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00819   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00820   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00821   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00822   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00823   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00824   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00825   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00826   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00827   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00828   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00829   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00830   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00831   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 80, ) }, ... 80, ) == 0x0
 00832   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 84, ) }, ... 84, ) == 0x0
 00833   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 88, ) }, ... 88, ) == 0x0
 00834   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00835   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00836   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 96, {status=0x0, info=0}, ) }, 7, 16, ... 96, {status=0x0, info=0}, ) == 0x0
 00837   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22o[\254'`S\301\33=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00838   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00839   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00840   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00841   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00842   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00843   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00844   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00845   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 00846   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "!4\273(\27\305\3255\6y9B\20\373\347\327F\377\274\315\273+\242\30\377w\310N\227ZDm\302\321S\237\241\223\300\235@SYH\206\357m\217\21Y\314\11\226\374\273pRvU\21Q\210a8Y'\234\266\351\4\274\204|;\301\264\1J\233\275", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "!4\273(\27\305\3255\6y9B\20\373\347\327F\377\274\315\273+\242\30\377w\310N\227ZDm\302\321S\237\241\223\300\235@SYH\206\357m\217\21Y\314\11\226\374\273pRvU\21Q\210a8Y'\234\266\351\4\274\204|;\301\264\1J\233\275", 80, ... ) , 80, ... ) == 0x0
 00847   896   NtClose  (-2147481368, ... ) == 0x0
 00837   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\271S\267\274\3\334U\256"\262\266\360\274\320\223\271\264B\225l<\270\31\223\347%Wm\210\361\35\250vL\36o\213\24\342\13\1\327Z\326\30\260^\252\373l\347`\232A3n\273\207|\352c\244\363\261\273\256\246F<\345\309w\241\355\362l\316\202]\216\265\305\246^D\5\2240I\304uJ\6\252{\360\247lr\216\203\276m\24\232L\327/\330\332\32\22\206\212\343\342\366\241\356;V\242\262\24\250\203\372\235\242\375\362$\361y \365a\274a^1\262bd\350\307\363\220\374X\177}JS\251>\201\202\367,4\1\31T\234\363\377\243\370\371\250\30\352>\220 \255\374\2658\202\34\342\321k~X\312`)R\235\15\254\264\355\361\325\214\270\320\375b\10\263r\303\366oK\3772\342\35t\345 \303h\242\267-\370+\360I#X(z\335BX", ) \262\266\360\274\320\223\271\264B\225l<\270\31\223\347%Wm\210\361\35\250vL\36o\213\24\342\13\1\327Z\326\30\260^\252\373l\347`\232A3n\273\207|\352c\244\363\261\273\256\246F<\345\309w\241\355\362l\316\202]\216\265\305\246^D\5\2240I\304uJ\6\252{\360\247lr\216\203\276m\24\232L\327/\330\332\32\22\206\212\343\342\366\241\356;V\242\262\24\250\203\372\235\242\375\362$\361y \365a\274a^1\262bd\350\307\363\220\374X\177}JS\251>\201\202\367,4\1\31T\234\363\377\243\370\371\250\30\352>\220 \255\374\2658\202\34\342\321k~X\312`)R\235\15\254\264\355\361\325\214\270\320\375b\10\263r\303\366oK\3772\342\35t\345 \303h200\236\314\365\262c`\316\324\342Ku\30\3)\2751\255>\242\267-\370+\360I#X(z\335BX", ) == 0x0
 00848   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00849   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00850   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 100, ) }, ... 100, ) == 0x0
 00851   896   NtQueryValueKey  (100,  (100, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00852   896   NtClose  (100, ... ) == 0x0
 00853   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 100, ) }, ... 100, ) == 0x0
 00854   896   NtQueryValueKey  (100,  (100, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   896   NtClose  (100, ... ) == 0x0
 00856   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00857   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00858   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00859   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00860   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 100, ) }, ... 100, ) == 0x0
 00861   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   896   NtClose  (100, ... ) == 0x0
 00865   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 100, ) }, ... 100, ) == 0x0
 00866   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   896   NtClose  (100, ... ) == 0x0
 00869   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 100, ) }, ... 100, ) == 0x0
 00870   896   NtOpenEvent  (0x1f0003, {24, 100, 0x0, 0, 0,  (0x1f0003, {24, 100, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   896   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00872   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   896   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   896   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   896   NtCreateSemaphore  (0x1f0003, {24, 100, 0x80, 1334456, 0,  (0x1f0003, {24, 100, 0x80, 1334456, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 104, ) }, 0, 2147483647, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 00877   896   NtQueryPerformanceCounter  (... {-1451402190, 16}, {3579545, 0}, ) == 0x0
 00878   896   NtQueryPerformanceCounter  (... {-1451401637, 16}, {3579545, 0}, ) == 0x0
 00879   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00880   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "Local\ZonesCounterMutex"}, 0, ... 108, ) }, 0, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00881   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "Local\ZonesCacheCounterMutex"}, 0, ... 112, ) }, 0, ... 112, ) == STATUS_OBJECT_NAME_EXISTS
 00882   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "Local\ZonesLockedCacheCounterMutex"}, 0, ... 116, ) }, 0, ... 116, ) == STATUS_OBJECT_NAME_EXISTS
 00883   896   NtQueryDefaultUILanguage  (1242164, ...
 00884   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00885   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 00886   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00887   896   NtClose  (-2147481368, ... ) == 0x0
 00888   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00889   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00891   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   896   NtClose  (-2147481452, ... ) == 0x0
 00893   896   NtClose  (-2147481368, ... ) == 0x0
 00883   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00894   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   896   NtRequestWaitReplyPort  (28, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020}  (28, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81838, 0}  (28, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ) == 0x0
 00897   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00898   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00900   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00901   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239488, ... ) }, 1239488, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00903   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00904   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00905   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239552, ... ) }, 1239552, ... ) == 0x0
 00906   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 120, {status=0x0, info=1}, ) }, 3, 33, ... 120, {status=0x0, info=1}, ) == 0x0
 00907   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00908   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00909   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00910   896   NtClose  (124, ... ) == 0x0
 00911   896   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 1056768, ) == 0x0
 00912   896   NtClose  (128, ... ) == 0x0
 00913   896   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00914   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00915   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 00916   896   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00917   896   NtClose  (128, ... ) == 0x0
 00918   896   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00919   896   NtClose  (124, ... ) == 0x0
 00920   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00921   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00922   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00923   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00924   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00925   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00926   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00927   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00928   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00929   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00930   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00931   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00932   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00933   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00934   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00935   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00936   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00937   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00938   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00939   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00940   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00941   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   896   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1241032, ... ) , 42, 1241032, ... ) == 0x0
 00943   896   NtQueryDefaultUILanguage  (1239716, ...
 00944   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00945   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481368, ) == 0x0
 00946   896   NtQueryInformationToken  (-2147481368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00947   896   NtClose  (-2147481368, ... ) == 0x0
 00948   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00949   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x240, 0, 0,  (0x80000000, {24, -2147481368, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   896   NtOpenKey  (0x80000000, {24, -2147481368, 0x640, 0, 0,  (0x80000000, {24, -2147481368, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00951   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   896   NtClose  (-2147481452, ... ) == 0x0
 00953   896   NtClose  (-2147481368, ... ) == 0x0
 00943   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00954   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238556, ... ) }, 1238556, ... ) == 0x0
 00955   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00956   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00957   896   NtClose  (124, ... ) == 0x0
 00958   896   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 4096, ) == 0x0
 00959   896   NtClose  (128, ... ) == 0x0
 00960   896   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00961   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238152, ... ) }, 1238152, ... ) == 0x0
 00962   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238896,  (0x80100080, {24, 0, 0x40, 0, 1238896, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 00963   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 128, ... 124, ) == 0x0
 00964   896   NtClose  (128, ... ) == 0x0
 00965   896   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 4096, ) == 0x0
 00966   896   NtClose  (124, ... ) == 0x0
 00967   896   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00968   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 124, {status=0x0, info=1}, ) }, 1, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00969   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 124, ... 128, ) == 0x0
 00970   896   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x380000), 0x0, 4096, ) == 0x0
 00971   896   NtQueryInformationFile  (124, 1238548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00972   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   896   NtRequestWaitReplyPort  (28, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572}  (28, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81839, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81839, 0}  (28, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81839, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ) == 0x0
 00974   896   NtClose  (124, ... ) == 0x0
 00975   896   NtClose  (128, ... ) == 0x0
 00976   896   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00977   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00978   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00979   896   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00980   896   NtUserGetDC  (0, ... ) == 0x1010052
 00981   896   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00982   896   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00983   896   NtUserSystemParametersInfo  (66, 12, 1240548, 0, ... ) == 0x1
 00984   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00985   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00986   896   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00987   896   NtClose  (128, ... ) == 0x0
 00988   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 128, ) }, ... 128, ) == 0x0
 00989   896   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 00990   896   NtAccessCheck  (1333816, 124, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00991   896   NtClose  (124, ... ) == 0x0
 00992   896   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Control Panel\Desktop"}, ... 124, ) }, ... 124, ) == 0x0
 00993   896   NtQueryValueKey  (124,  (124, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   896   NtClose  (124, ... ) == 0x0
 00995   896   NtUserSystemParametersInfo  (41, 500, 1240576, 0, ... ) == 0x1
 00996   896   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 00997   896   NtAccessCheck  (1333816, 124, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00998   896   NtClose  (124, ... ) == 0x0
 00999   896   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 124, ) }, ... 124, ) == 0x0
 01000   896   NtQueryValueKey  (124,  (124, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   896   NtClose  (124, ... ) == 0x0
 01002   896   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01003   896   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01004   896   NtClose  (128, ... ) == 0x0
 01005   896   NtUserSystemParametersInfo  (4130, 0, 1241080, 0, ... ) == 0x1
 01006   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 128, ) }, ... 128, ) == 0x0
 01007   896   NtEnumerateValueKey  (128, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01008   896   NtClose  (128, ... ) == 0x0
 01009   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01010   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03b
 01011   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03d
 01012   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01013   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03f
 01014   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01015   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c041
 01016   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01017   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c043
 01018   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c045
 01019   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01020   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c047
 01021   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01022   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c049
 01023   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01024   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04b
 01025   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01026   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04d
 01027   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01028   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04f
 01029   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c051
 01030   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01031   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c053
 01032   896   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 01033   896   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x8177c055
 01034   896   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 01035   896   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x8177c057
 01036   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01037   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c059
 01038   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 01039   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05b
 01040   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01041   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05d
 01042   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01043   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05f
 01044   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01045   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c017
 01046   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01047   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c019
 01048   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 01049   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c018
 01050   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01051   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01a
 01052   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01053   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01c
 01054   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01055   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01e
 01056   896   NtUserFindExistingCursorIcon  (1240320, 1240336, 1240384, ... ) == 0x10011
 01057   896   NtUserRegisterClassExWOW  (1240320, 1240388, 1240404, 1240420, 0, 384, 0, ... ) == 0x8177c01b
 01058   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01059   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c068
 01060   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01061   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c06a
 01062   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01063   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01064   896   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01065   896   NtClose  (128, ... ) == 0x0
 01066   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 128, ) }, ... 128, ) == 0x0
 01067   896   NtSetInformationObject  (130, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01068   896   NtQueryKey  (130, Name, 384, ... {Name= (130, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01069   896   NtOpenKey  (0x2000000, {24, 130, 0x40, 0, 0,  (0x2000000, {24, 130, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 124, ) }, ... 124, ) == 0x0
 01071   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01072   896   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 01073   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01074   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01075   896   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01076   896   NtClose  (132, ... ) == 0x0
 01077   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01078   896   NtEnumerateKey  (126, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name= (126, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 01079   896   NtEnumerateKey  (126, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01080   896   NtClose  (126, ... ) == 0x0
 01081   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01082   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01083   896   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01084   896   NtClose  (124, ... ) == 0x0
 01085   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 124, ) }, ... 124, ) == 0x0
 01086   896   NtSetInformationObject  (124, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01087   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 132, ) }, ... 132, ) == 0x0
 01090   896   NtQueryValueKey  (132,  (132, "DisableImprovedZoneCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   896   NtClose  (132, ... ) == 0x0
 01092   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 132, ) }, ... 132, ) == 0x0
 01097   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   896   NtClose  (132, ... ) == 0x0
 01100   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   896   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   896   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 132, ) }, ... 132, ) == 0x0
 01110   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_OBJECT_CACHING"}, ... 136, ) }, ... 136, ) == 0x0
 01112   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   896   NtClose  (136, ... ) == 0x0
 01115   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_ZONE_ELEVATION"}, ... 136, ) }, ... 136, ) == 0x0
 01116   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   896   NtClose  (136, ... ) == 0x0
 01119   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_MIME_HANDLING"}, ... 136, ) }, ... 136, ) == 0x0
 01120   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   896   NtClose  (136, ... ) == 0x0
 01123   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_MIME_SNIFFING"}, ... 136, ) }, ... 136, ) == 0x0
 01124   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   896   NtClose  (136, ... ) == 0x0
 01127   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_WINDOW_RESTRICTIONS"}, ... 136, ) }, ... 136, ) == 0x0
 01128   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   896   NtClose  (136, ... ) == 0x0
 01131   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_WEBOC_POPUPMANAGEMENT"}, ... 136, ) }, ... 136, ) == 0x0
 01132   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   896   NtClose  (136, ... ) == 0x0
 01135   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_BEHAVIORS"}, ... 136, ) }, ... 136, ) == 0x0
 01136   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   896   NtClose  (136, ... ) == 0x0
 01139   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_MK_PROTOCOL"}, ... 136, ) }, ... 136, ) == 0x0
 01140   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01142   896   NtClose  (136, ... ) == 0x0
 01143   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_LOCALMACHINE_LOCKDOWN"}, ... 136, ) }, ... 136, ) == 0x0
 01144   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   896   NtClose  (136, ... ) == 0x0
 01147   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_SECURITYBAND"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_RESTRICT_ACTIVEXINSTALL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_VALIDATE_NAVIGATE_URL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_RESTRICT_FILEDOWNLOAD"}, ... 136, ) }, ... 136, ) == 0x0
 01151   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   896   NtClose  (136, ... ) == 0x0
 01154   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_ADDON_MANAGEMENT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_PROTOCOL_LOCKDOWN"}, ... 136, ) }, ... 136, ) == 0x0
 01156   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   896   NtClose  (136, ... ) == 0x0
 01159   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_SAFE_BINDTOOBJECT"}, ... 136, ) }, ... 136, ) == 0x0
 01161   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   896   NtClose  (136, ... ) == 0x0
 01164   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_UNC_SAVEDFILECHECK"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_GET_URL_DOM_FILEPATH_UNENCODED"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_TABBED_BROWSING"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_SSLUX"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_NAVIGATION_SOUNDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_LEGACY_COMPRESSION"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_FORCE_ADDR_AND_STATUS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_XMLHTTP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_TELNET_PROTOCOL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_FEEDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_BLOCK_INPUT_PROMPTS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   896   NtClose  (132, ... ) == 0x0
 01176   896   NtTestAlert  (... ) == 0x0
 01177   896   NtContinue  (1244464, 1, ...
 01178   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x409060,}, 4, ... ) == 0x0
 01179   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   896   NtQueryAttributesFile  ({24, 16, 0x40, 0, 0,  ({24, 16, 0x40, 0, 0, ".dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01197   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   896   NtQueryAttributesFile  ({24, 16, 0x40, 0, 0,  ({24, 16, 0x40, 0, 0, ".dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   896   NtCreateEvent  (0x1f0003, {24, 100, 0x80, 1245092, 0,  (0x1f0003, {24, 100, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 132, ) }, 1, 0, ... 132, ) == 0x0
 01218   896   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 136, ) }, {27086, 0}, 64, 134217728, 0, ... 136, ) == 0x0
 01219   896   NtMapViewOfSection  (136, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x380000), 0x0, 28672, ) == 0x0
 01220   896   NtOpenProcessToken  (-1, 0x20, ... 140, ) == 0x0
 01221   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01222   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 144, ) }, ... 144, ) == 0x0
 01224   896   NtQueryValueKey  (144,  (144, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   896   NtClose  (144, ... ) == 0x0
 01226   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01228   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01229   896   NtQuerySystemTime  (... {1415235414, 29929616}, ) == 0x0
 01230   896   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01231   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 01232   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01234   896   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01235   896   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01236   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01237   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 160, ) == 0x0
 01238   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 164, ) }, ... 164, ) == 0x0
 01239   896   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "ActiveComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 01240   896   NtQueryValueKey  (168,  (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01241   896   NtClose  (168, ... ) == 0x0
 01242   896   NtClose  (164, ... ) == 0x0
 01243   896   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 164, ) == 0x0
 01244   896   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 168, ) == 0x0
 01245   896   NtDuplicateObject  (-1, 164, -1, 0x0, 0, 2, ... 172, ) == 0x0
 01246   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01247   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01248   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01249   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01250   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01251   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01252   896   NtSetInformationFile  (180, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01253   896   NtSetInformationFile  (180, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01254   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01255   896   NtWriteFile  (180, 157, 0, 0,  (180, 157, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01256   896   NtReadFile  (180, 157, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (180, 157, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01257   896   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01258   896   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0Hx\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0Hx\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0Hx\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 01259   896   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01260   896   NtClose  (176, ... ) == 0x0
 01261   896   NtClose  (180, ... ) == 0x0
 01262   896   NtAdjustPrivilegesToken  (140, 0, 1245096, 0, 0, 0, ... ) == 0x0
 01263   896   NtClose  (140, ... ) == 0x0
 01264   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3801088, 65536, ) == 0x0
 01265   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01266   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 140, ) == 0x0
 01267   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 01268   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01269   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 01270   896   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0
 01271   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01272   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01273   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01274   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01275   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01276   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01277   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01278   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01279   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01280   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01281   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01282   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 180, ) == 0x0
 01283   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 176, ) }, ... 176, ) == 0x0
 01284   896   NtMapViewOfSection  (176, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 01285   896   NtClose  (176, ... ) == 0x0
 01286   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01287   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01288   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01289   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01290   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01291   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01292   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01293   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01294   896   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 01295   896   NtAllocateVirtualMemory  (180, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 01296   896   NtProtectVirtualMemory  (180, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 01297   896   NtCreateThread  (0x1f03ff, 0x0, 180, 1243840, 1243784, 1, ... 176, {580, 376}, ) == 0x0
 01298   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 0, 0, 0, 0}  (28, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81840, 0}  (28, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" )  ) == 0x0
 01299   896   NtResumeThread  (176, ... 1, ) == 0x0
 01300   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 01301   896   NtClose  (180, ... ) == 0x0
 01302   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01303   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01304   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 180, ) == 0x0
 01305   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01306   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 01307   896   NtClose  (184, ... ) == 0x0
 01308   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01309   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01310   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01311   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01312   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01313   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01314   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01315   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01316   896   NtClose  (180, ... ) == 0x0
 01317   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01318   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01319   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 180, ) == 0x0
 01320   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01321   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 01322   896   NtClose  (184, ... ) == 0x0
 01323   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01324   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01325   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01326   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01327   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01328   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01329   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01330   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01331   896   NtClose  (180, ... ) == 0x0
 01332   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01333   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01334   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 180, ) == 0x0
 01335   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01336   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01337   896   NtClose  (184, ... ) == 0x0
 01338   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01339   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01340   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01341   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01342   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01343   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01344   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01345   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01346   896   NtClose  (180, ... ) == 0x0
 01347   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01348   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01349   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 180, ) == 0x0
 01350   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01351   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01352   896   NtClose  (184, ... ) == 0x0
 01353   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01354   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01355   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01356   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01357   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01358   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01359   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01360   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01361   896   NtClose  (180, ... ) == 0x0
 01362   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01363   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01364   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 180, ) == 0x0
 01365   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01366   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 01367   896   NtClose  (184, ... ) == 0x0
 01368   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01369   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01370   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01371   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01372   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01373   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01374   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01375   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01376   896   NtClose  (180, ... ) == 0x0
 01377   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01378   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01379   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 180, ) == 0x0
 01380   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01381   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01382   896   NtClose  (184, ... ) == 0x0
 01383   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01384   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01385   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01386   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01387   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01388   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01389   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01390   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01391   896   NtClose  (180, ... ) == 0x0
 01392   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01393   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01394   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 180, ) == 0x0
 01395   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01396   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01397   896   NtClose  (184, ... ) == 0x0
 01398   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01399   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01400   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01401   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01402   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01403   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01404   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01405   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01406   896   NtClose  (180, ... ) == 0x0
 01407   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01408   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01409   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 180, ) == 0x0
 01410   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01411   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01412   896   NtClose  (184, ... ) == 0x0
 01413   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01414   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01415   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01416   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01417   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01418   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01419   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01420   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01421   896   NtClose  (180, ... ) == 0x0
 01422   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01423   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01424   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 180, ) == 0x0
 01425   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01426   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01427   896   NtClose  (184, ... ) == 0x0
 01428   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01429   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01430   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01431   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01432   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01433   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01434   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01435   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01436   896   NtClose  (180, ... ) == 0x0
 01437   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01438   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01439   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 180, ) == 0x0
 01440   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01441   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01442   896   NtClose  (184, ... ) == 0x0
 01443   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01444   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01445   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01446   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01447   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01448   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01449   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01450   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01451   896   NtClose  (180, ... ) == 0x0
 01452   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01453   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01454   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 180, ) == 0x0
 01455   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01456   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01457   896   NtClose  (184, ... ) == 0x0
 01458   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01459   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01460   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01461   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01462   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01463   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01464   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01465   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01466   896   NtClose  (180, ... ) == 0x0
 01467   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01468   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01469   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 180, ) == 0x0
 01470   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01471   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01472   896   NtClose  (184, ... ) == 0x0
 01473   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01474   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01475   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01476   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01477   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01478   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01479   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01480   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01481   896   NtClose  (180, ... ) == 0x0
 01482   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01483   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01484   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 180, ) == 0x0
 01485   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01486   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01487   896   NtClose  (184, ... ) == 0x0
 01488   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01489   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01490   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01491   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01492   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01493   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01494   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01495   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01496   896   NtClose  (180, ... ) == 0x0
 01497   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01498   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01499   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 180, ) == 0x0
 01500   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01501   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01502   896   NtClose  (184, ... ) == 0x0
 01503   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01504   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01505   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01506   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01507   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01508   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01509   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01510   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01511   896   NtClose  (180, ... ) == 0x0
 01512   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01513   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01514   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 180, ) == 0x0
 01515   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01516   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01517   896   NtClose  (184, ... ) == 0x0
 01518   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01519   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01520   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01521   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01522   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01523   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01524   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01525   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01526   896   NtClose  (180, ... ) == 0x0
 01527   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01528   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01529   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 180, ) == 0x0
 01530   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01531   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01532   896   NtClose  (184, ... ) == 0x0
 01533   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01534   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01535   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01536   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01537   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01538   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01539   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01540   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01541   896   NtClose  (180, ... ) == 0x0
 01542   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01543   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01544   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 180, ) == 0x0
 01545   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01546   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01547   896   NtClose  (184, ... ) == 0x0
 01548   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01549   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01550   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01551   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01552   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01553   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01554   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01555   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01556   896   NtClose  (180, ... ) == 0x0
 01557   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01558   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01559   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 180, ) == 0x0
 01560   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01561   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01562   896   NtClose  (184, ... ) == 0x0
 01563   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01564   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01565   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01566   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01567   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01568   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01569   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01570   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01571   896   NtClose  (180, ... ) == 0x0
 01572   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01573   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01574   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 180, ) == 0x0
 01575   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01576   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01577   896   NtClose  (184, ... ) == 0x0
 01578   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01579   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01580   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01581   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01582   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01583   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01584   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01585   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01586   896   NtClose  (180, ... ) == 0x0
 01587   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01588   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01589   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 180, ) == 0x0
 01590   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01591   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01592   896   NtClose  (184, ... ) == 0x0
 01593   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01594   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01595   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01596   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01597   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01598   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01599   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01600   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01601   896   NtClose  (180, ... ) == 0x0
 01602   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01603   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01604   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 180, ) == 0x0
 01605   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01606   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01607   896   NtClose  (184, ... ) == 0x0
 01608   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01609   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01610   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01611   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01612   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01613   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01614   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01615   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01616   896   NtClose  (180, ... ) == 0x0
 01617   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01618   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01619   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 180, ) == 0x0
 01620   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01621   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01622   896   NtClose  (184, ... ) == 0x0
 01623   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01624   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01625   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01626   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01627   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01628   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01629   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01630   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01631   896   NtClose  (180, ... ) == 0x0
 01632   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01633   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01634   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 180, ) == 0x0
 01635   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01636   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01637   896   NtClose  (184, ... ) == 0x0
 01638   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01639   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01640   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01641   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01642   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01643   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01644   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01645   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01646   896   NtClose  (180, ... ) == 0x0
 01647   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01648   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01649   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 180, ) == 0x0
 01650   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01651   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01652   896   NtClose  (184, ... ) == 0x0
 01653   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01654   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01655   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01656   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01657   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01658   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01659   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01660   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01661   896   NtClose  (180, ... ) == 0x0
 01662   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01663   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01664   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 180, ) == 0x0
 01665   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01666   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01667   896   NtClose  (184, ... ) == 0x0
 01668   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01669   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01670   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01671   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01672   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01673   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01674   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01675   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01676   896   NtClose  (180, ... ) == 0x0
 01677   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01678   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01679   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 180, ) == 0x0
 01680   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01681   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01682   896   NtClose  (184, ... ) == 0x0
 01683   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01684   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01685   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01686   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01687   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01688   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01689   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01690   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01691   896   NtClose  (180, ... ) == 0x0
 01692   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01693   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01694   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {808, 0}, ... 180, ) == 0x0
 01695   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01696   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01697   896   NtClose  (184, ... ) == 0x0
 01698   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01699   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01700   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01701   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01702   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01703   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01704   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01705   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01706   896   NtClose  (180, ... ) == 0x0
 01707   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01708   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01709   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 180, ) == 0x0
 01710   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01711   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01712   896   NtClose  (184, ... ) == 0x0
 01713   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01714   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01715   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01716   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01717   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01718   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01719   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01720   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01721   896   NtClose  (180, ... ) == 0x0
 01722   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01723   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01724   896   NtClose  (140, ... ) == 0x0
 01725   896   NtClose  (132, ... ) == 0x0
 01726   896   NtRequestWaitReplyPort  (28, {20, 48, new_msg, 0, 40, 3297224, -1, 3277240}  (28, {20, 48, new_msg, 0, 40, 3297224, -1, 3277240} "\0\0\0\0%\2\2\0\0\02\0\264\374\22\0\1\0<\0" ... {20, 48, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0%\2\2\0\0\0\0\0\264\374\22\0\1\0<\0" )  ... {20, 48, reply, 0, 1252, 896, 81885, 0}  (28, {20, 48, new_msg, 0, 40, 3297224, -1, 3277240} "\0\0\0\0%\2\2\0\0\02\0\264\374\22\0\1\0<\0" ... {20, 48, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0%\2\2\0\0\0\0\0\264\374\22\0\1\0<\0" )  ) == 0x0
 01727   896   NtClose  (36, ... ) == 0x0
 01728   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "RpcPatch_Mutex"}, 0, ... 36, ) }, 0, ... 36, ) == 0x0
 01729   896   NtOpenEvent  (0x100000, {24, 100, 0x0, 0, 0,  (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 132, ) }, ... 132, ) == 0x0
 01730   896   NtWaitForSingleObject  (132, 0, {-1800000000, -1}, ... ) == 0x0
 01731   896   NtClose  (132, ... ) == 0x0
 01732   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222\3645\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01733   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01734   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01735   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01736   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01737   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01738   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01739   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01740   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01741   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\255\246\3339\362\237obX\21\1\24\346\235\377O\254\230\350\336\277@\371\217\351\213V\237\Z=\343\33K\352n\366\10\220\376|\337P\250\370L\212\326\211\257\367\241\225w\2604~\3134\202\230*\304\17?\20o\363\377G%\314\10\342\356\313\230\375\177\200", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\255\246\3339\362\237obX\21\1\24\346\235\377O\254\230\350\336\277@\371\217\351\213V\237\Z=\343\33K\352n\366\10\220\376|\337P\250\370L\212\326\211\257\367\241\225w\2604~\3134\202\230*\304\17?\20o\363\377G%\314\10\342\356\313\230\375\177\200", 80, ... ) , 80, ... ) == 0x0
 01742   896   NtClose  (-2147481368, ... ) == 0x0
 01732   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\352T\361\307\303!\353\242\202\313"\12\1uQa\370B\2112\6P\300ii-\30\266}\23\271\3037X\247\203\257y\373C_\304N\\224\20\321[s\32M\372,\325\254\254'\254\3e\354\222\300\326\333\31\376b\36m\26\301L\211\252O\335\235\30\33\307\326\266\301\304$\36\247\367\266\371\362\367M\32`\200\254\6\266\323\371\372\300\267\237\253"]c\254\24ia\10i\12\211\371\6\373\5v\350\322\211\210\7ak\3YEL\243\320\370\321l\263\270"2\237-\347;\25p\262\26\33\346\225\c\255\236P\6\207\34\206\217\230\226<\320\302{:\371$\272\203\250\230\247h\5\351\20\350\312\1404\31Y-\3C\27P-\206GJ\263\\344\334\261Ks\271=\365B\230U\320\33\244\242\321\0\322z\314Z\22\372\357Nh\314\273?\253D\265E7-\300\3\372\311\372Y\200\1\360\340M\270\312\213*\342\17\35\336z\33", ) \12\1uQa\370B\2112\6P\300ii-\30\266}\23\271\3037X\247\203\257y\373C_\304N\\224\20\321[s\32M\372,\325\254\254'\254\3e\354\222\300\326\333\31\376b\36m\26\301L\211\252O\335\235\30\33\307\326\266\301\304$\36\247\367\266\371\362\367M\32`\200\254\6\266\323\371\372\300\267\237\253 ... {status=0x0, info=256}, "\352T\361\307\303!\353\242\202\313"\12\1uQa\370B\2112\6P\300ii-\30\266}\23\271\3037X\247\203\257y\373C_\304N\\224\20\321[s\32M\372,\325\254\254'\254\3e\354\222\300\326\333\31\376b\36m\26\301L\211\252O\335\235\30\33\307\326\266\301\304$\36\247\367\266\371\362\367M\32`\200\254\6\266\323\371\372\300\267\237\253"]c\254\24ia\10i\12\211\371\6\373\5v\350\322\211\210\7ak\3YEL\243\320\370\321l\263\270"2\237-\347;\25p\262\26\33\346\225\c\255\236P\6\207\34\206\217\230\226<\320\302{:\371$\272\203\250\230\247h\5\351\20\350\312\1404\31Y-\3C\27P-\206GJ\263\\344\334\261Ks\271=\365B\230U\320\33\244\242\321\0\322z\314Z\22\372\357Nh\314\273?\253D\265E7-\300\3\372\311\372Y\200\1\360\340M\270\312\213*\342\17\35\336z\33", ) 2\237-\347;\25p\262\26\33\346\225\c\255\236P\6\207\34\206\217\230\226<\320\302{:\371$\272\203\250\230\247h\5\351\20\350\312\1404\31Y-\3C\27P-\206GJ\263\\344\334\261Ks\271=\365B\230U\320\33\244\242\321\0\322z\314Z\22\372\357Nh\314\273?\253D\265E7-\300\3\372\311\372Y\200\1\360\340M\270\312\213*\342\17\35\336z\33", ) == 0x0
 01743   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01744   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01745   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01746   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01747   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01748   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01749   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01750   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01751   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01752   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "R\35\342M\334\213J\301\31\31\235\256\7v\4\212\343\265k\314zs\252DoW\367\35\360>\337E\332}`}\250r\164\224\246\227\237\204P"\346\3504\364\313%\365\307Op\343\225Z\237\317\246\215\205\361\11\317\17m?\30)d\253\221$KZ\370", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "R\35\342M\334\213J\301\31\31\235\256\7v\4\212\343\265k\314zs\252DoW\367\35\360>\337E\332}`}\250r\164\224\246\227\237\204P"\346\3504\364\313%\365\307Op\343\225Z\237\317\246\215\205\361\11\317\17m?\30)d\253\221$KZ\370", 80, ... ) \346\3504\364\313%\365\307Op\343\225Z\237\317\246\215\205\361\11\317\17m?\30)d\253\221$KZ\370", 80, ... ) == 0x0
 01753   896   NtClose  (-2147481368, ... ) == 0x0
 01743   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302\311\17L\221Y{\350\32\330\205\341\222\260\304\32dZ\325\1`k\244B\212\203:\207\7!`\22l:\4w\244\177\322\256r,k\246\334Ef\337=p\13\15\247\235\11C1\262\263\236\3427\177\230\262\305\36#\260\226R\246\312\7\200d>\244\372\240\13%\3069\331H\341\34C\243\240&\357\21mVo\364\227\236\1$\11<\311\244l\214H]\215\326\372\265s\4\21\334\226J\224cPi\366\345\335q\334\14!\251\326\227\345\23 E5\342\256\257\31\333*\36}\271\177}:!X\315\207\275\210\340\231\207\3370\315\202\3761\33I\273P\353\3\3212\342\367\34V;\20\254\200\270D\306\304Z\274\350\33\351u\221\366\204\232N\343\244\322s\214O\257\317\3\244\227R\3223\225\214\200\330,", ) , ) == 0x0
 01754   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01755   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01756   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01757   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01758   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01759   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01760   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01761   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01762   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01763   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\345\223\275\314\321\212\337\300\234\366\344\323ym\11\245\2649\240\307L\2714\241hQ\255l\254Z\321\230\212c\266\3045C|P\32i\343\364\365\332\207T!\244\330\321~\363\304\217\373\212>3\372>A[P\336\310\324\313\345\275B. \32\333\25C\213\343", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\345\223\275\314\321\212\337\300\234\366\344\323ym\11\245\2649\240\307L\2714\241hQ\255l\254Z\321\230\212c\266\3045C|P\32i\343\364\365\332\207T!\244\330\321~\363\304\217\373\212>3\372>A[P\336\310\324\313\345\275B. \32\333\25C\213\343", 80, ... ) , 80, ... ) == 0x0
 01764   896   NtClose  (-2147481368, ... ) == 0x0
 01754   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "T\25\362GS\344\323\265\355I'J\255sj\247N\35\332\236\245\305\26\21\214\37K\317x[\267%\225\5\331\21$f\33+Y^\247#\31\260C\2\323\374Q\322<\227\271\272\203\261m\267\0r\215\2\365\352\307\301\2Y\226\325g..\0vd\2473\336\3\15m\372\301\354U\273\252\211\303\332\363G\246\313\253\350\336\13\25\322\345\274\315yxB@\217\234}\260p\320\2774V2\202\200bR\363z\350\362!l;72\231\332H\214\352\31\253\325\367\211\375\3073'\377\346\232\233\3051h\221K\325\236\217;<\0\245\12KtK]\364j\366K\3106\353e2\253*E+\360!\373\214&\336d\7=\226\23\236,d>\250\327\237q8\330\17\2754)A\305p\351\33&K\10\331\351\327\20R\247\224\271\362!%\371\355!\201/\325KI\14\325\346\362\5>X=\373zCU\2276i-\351MU\244\24\22\222", ) , ) == 0x0
 01765   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01766   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01767   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01768   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01769   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01770   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01771   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01772   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01773   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01774   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\344'\324\250\332\20\33\307\256\332\211\200\311\226\242\37\365\206\223\302\217q\353tw\252\244Z\343\264Y>\217\275%\305&\230\335a\177\20\313\211\374\372\0h\264C\302\255M?C\330\211\217\301K\212\202\201>\6(:\255c+_,\301G\274O\34\17V\226", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\344'\324\250\332\20\33\307\256\332\211\200\311\226\242\37\365\206\223\302\217q\353tw\252\244Z\343\264Y>\217\275%\305&\230\335a\177\20\313\211\374\372\0h\264C\302\255M?C\330\211\217\301K\212\202\201>\6(:\255c+_,\301G\274O\34\17V\226", 80, ... ) , 80, ... ) == 0x0
 01775   896   NtClose  (-2147481368, ... ) == 0x0
 01765   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "fo\304\35\202\376\354k\235\3572o\210<\343O\301j\245\367\340\320G\361\340>H\5$\\20\331g\244\245!\366b\343\300\270\216\12^-R\355\375\307a\310\356\15^\304\7\245\375e8\324\204\245F\324\260\377\320\2075u]\215f\251\21\362\2161\337\226EA\242H\21\375\177\13\237S)\301\27\3e\341\24\362>2\224\225&\1\35*\323\334\353\7?\244\\366N\254\16\232\355_\37r\261\241)\5\372\3\251\266\320\200!PZ\322\177+\352\205\312\261\311\363(\275\362\374\326\3\346YK\335\260\370\270\214Qn\205\21b\22fF\7@I\310\215S\212\237\257\36\22\263\317\375bO\315n\35\264\35\212 &\235\200\243\275\1\264\4:\220\10\227\371\212\3670J\200\177\217\223I\241\206\250\37\266y\15\35E\15Uuw\277[b\265\260\364\16\206[\351;sa\13\261\373\214\369\261\245\321tm\5\2347\371\257\200", ) , ) == 0x0
 01776   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01777   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01778   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01779   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01780   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01781   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01782   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01783   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01784   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01785   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\325\20\323G\303\0\301\11\354\306\355e\247\221\12\335\331\254\336X=-\323\27_3\273\305\271Y\201\273\266S\337\325\212Xo\250\342U\3\303Y\245\265\323\217\365\266\320+\370R6#\320p3@S\321\367\350\204\33\212\10\342\213hf=4\226 M#/", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\325\20\323G\303\0\301\11\354\306\355e\247\221\12\335\331\254\336X=-\323\27_3\273\305\271Y\201\273\266S\337\325\212Xo\250\342U\3\303Y\245\265\323\217\365\266\320+\370R6#\320p3@S\321\367\350\204\33\212\10\342\213hf=4\226 M#/", 80, ... ) , 80, ... ) == 0x0
 01786   896   NtClose  (-2147481368, ... ) == 0x0
 01776   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\227\255\236%\371O\34\345]U\317\300[\257 \34_9\202\333(\211\2632\231eVUo\207\347q\313\276\342[c\245\221\227\213p\3\277V{\362\33\331\272\24\244[\235\12\207=\1u\237\312\312\31p\1\12\10`\331\355\237VR\317\20W\21#\323G4\351@o\324\7#{\26\316\264j\343\260\333\0A\211\202\320\375\250\246\240\177vYN\313\271\250\314\367\71\2356\360\320\266\304\277M\324\3711\217\310MZ\234\357T\352\306\27Q\214\233)_c<\214@g\3350Z\306\366\7]\334\312\21\330\304X'\267"$\242D\275\331\253\366_\233\22$\233\251\31\365\232\322;\340\352{U\14\273\227n\23+\325\312\330\263\372\3150\230\4RS\377\32\256U%\36\361L5&~\242\2335\321\236\363\226s-\274*_\277\313]j~\333\307\345\276.\256B*'e\376A\273275\331\253\366_\233\22$\233\251\31\365\232\322;\340\352{U\14\273\227n\23+\325\312\330\263\372\3150\230\4RS\377\32\256U%\36\361L5&~\242\2335\321\236\363\226s-\274*_\277\313]j~\333\307\345\276.\256B*'e\376A\2737\335Q\27K\3o\30139\231", ) == 0x0
 01787   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01788   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01789   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01790   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01791   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01792   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01793   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01794   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01795   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01796   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "Mb\226\304\357[\266\227\364\10\237\26M2\204\340\21 \266\69\373\247\15\333\377\206\260\207\326\262\361\34L)%_]0N4+\271s\371\330?_P^%\243d\344\6\300\14\233\32&\356-m\262[\350\7\210T\201X\363\355\356![[}\24{", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "Mb\226\304\357[\266\227\364\10\237\26M2\204\340\21 \266\69\373\247\15\333\377\206\260\207\326\262\361\34L)%_]0N4+\271s\371\330?_P^%\243d\344\6\300\14\233\32&\356-m\262[\350\7\210T\201X\363\355\356![[}\24{", 80, ... ) , 80, ... ) == 0x0
 01797   896   NtClose  (-2147481368, ... ) == 0x0
 01787   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "j\311M\356,v.\35Jkb\200q\377\10\363O\266h\352 pZ\334+h\262\327^^\23\237\375n\3143\144+E\344\330\25\206\24U\302\344\10Fp\205;\6\14\262\237\13\241`xEi#d\340\327G\371\215?p~\22\370\325\310\4\337\23\16D\224\316\22329\326\375\20E\267\225\3430y\344\2054\30537\311\303Ud\366\33\306\323\244\274\6c\31\264\21cw\2138h[\252\21\35\270o\364\304\233A\301\3365\27\373*\264\22\366\251s\370\254\177\3077\207\312P7\351\261\252\310*\324t\212I\314\334U\245&\227\200\235\353\266\3531S[JZ2K\201\224b\214J\271\317\365\324\342\357b\201nA\204\255.B4\266\343\207\11\2044\300\5\245 \262H\276O\201$0H\320`a\225\336\16\378\354"\22\351Q\350y\276\263\3434\10R$\302\1\254\21\331]\374\332 \232z\224\366\320\202\253", ) \22\351Q\350y\276\263\3434\10R$\302\1\254\21\331]\374\332 \232z\224\366\320\202\253", ) == 0x0
 01798   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22\320z\235Lx\31\222K\24\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351\320`\347\0V\213\351oA\326kN\301\272\200I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01799   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01800   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01801   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01802   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01803   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01804   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01805   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01806   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481368, 2, ) }, 0, 0x0, 0, ... -2147481368, 2, ) == 0x0
 01807   896   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\1\337\15\264o\200\2\206nb\30\351/\317^\354\335h\303\242\6\327\334\214\30+rTA\312\354\270\377\215\326?\232\6\2654\314\30&u}\\333\303\215\261\325\344/M\366N\255#JW\225\233\342\177\305\275\354\323\325\220\257\225I!L{\10\315p\205", 80, ... ) , 0, 3,  (-2147481368, "Seed", 0, 3, "\1\337\15\264o\200\2\206nb\30\351/\317^\354\335h\303\242\6\327\334\214\30+rTA\312\354\270\377\215\326?\232\6\2654\314\30&u}\\333\303\215\261\325\344/M\366N\255#JW\225\233\342\177\305\275\354\323\325\220\257\225I!L{\10\315p\205", 80, ... ) , 80, ... ) == 0x0
 01808   896   NtClose  (-2147481368, ... ) == 0x0
 01798   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\375\3719\242\5\302\265j\363\313\262\264\242\376>\310\32\4\367\315\276:E\332vX\202\347/\13\317\252h\335\26\213slY\223\336\207_=\236\35\10\23Gv;\23\202\5\313!\326\224\236LeyQq/\376n\12\12\375\237\353`1r\244 4\306\262\340\321>\3019\241\327\15\354\320\250K)j/[MOm\345\212\237h\365r\5\322\346\225\372r_\263\225\257\5NV2\341*\210bS\221\352\350A\214AVP\301\270\272\357\349C\213\216O\343S\307\306\265I\333Y\225\273\347>\212\270\373\343\306\362&q\214\234\320sF\361Z\10\240\352\316z\20\363\11p\202\4K\203\243\373\11;i\303g\241+%\215\264)!\16\211?\313E\201k0$\254x\333[&\343\277F\306\246\341\0\302\332q\257]\253\354q=\216xN\16\202#`\353\223\254U\211\325\242rL\252\201t\365@v\35\202\245\361\314\260.X", ) , ) == 0x0
 01809   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01810   896   NtConnectPort  ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1243284, 188, ... 140, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1243284, 188, ... 140, 0x0, 0x0, 0x0, 188, ) == 0x0
 01811   896   NtRequestWaitReplyPort  (140, {200, 224, new_msg, 0, 1341512, 12, 2, 1310977}  (140, {200, 224, new_msg, 0, 1341512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\20\232\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81887, 0} "\7\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 896, 81887, 0}  (140, {200, 224, new_msg, 0, 1341512, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\20\232\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81887, 0} "\7\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\312\252\224\257\253;|\330p\215\24\0Sf\237\323\12\0\0\0\0\0\0\0p\215\24\0(\0\0\0x\215\24\0\225\1\320\240\1\24\0(\0\0\0\333s\0\0\0\0\24\0\360\366\22\0\224\0\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01812   896   NtRequestWaitReplyPort  (140, {48, 72, new_msg, 0, 44, 3, 20, 0}  (140, {48, 72, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\33\0gS\263F\252\227\2L\355h\28 \0"\0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0" ... {96, 120, reply, 0, 1252, 896, 81888, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) \0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0 (140, {48, 72, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\33\0gS\263F\252\227\2L\355h\28 \0"\0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0" ... {96, 120, reply, 0, 1252, 896, 81888, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) \2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ) == 0x0
 01813   896   NtRequestWaitReplyPort  (140, {100, 124, new_msg, 0, 1252, 896, 81888, 0}  (140, {100, 124, new_msg, 0, 1252, 896, 81888, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\11\0\0\0\0\0\0\0\11\0\0\0RpcPatch\0\0\0\0\377\1\17\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81889, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81889, 0}  (140, {100, 124, new_msg, 0, 1252, 896, 81888, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\11\0\0\0\0\0\0\0\11\0\0\0RpcPatch\0\0\0\0\377\1\17\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81889, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01814   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01815   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\system32\dllcache\tftpd.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 3, 1, 2097252, 0, 0, ... ) }, 0x0, 0, 3, 1, 2097252, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01819   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 1, 1, 100, 0, 0, ... ) }, 0x0, 0, 1, 1, 100, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01821   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 3, 1, 100, 0, 0, ... ) }, 0x0, 0, 3, 1, 100, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   896   NtOpenEvent  (0x100000, {24, 100, 0x0, 0, 0,  (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 180, ) }, ... 180, ) == 0x0
 01823   896   NtWaitForSingleObject  (180, 0, {-1800000000, -1}, ... ) == 0x0
 01824   896   NtClose  (180, ... ) == 0x0
 01825   896   NtRequestWaitReplyPort  (140, {48, 72, new_msg, 0, 1252, 896, 81889, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81889, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81890, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81890, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81889, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81890, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01826   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01827   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81890, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81890, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\330\237\24\0\370\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81891, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" )  ... {124, 148, reply, 0, 1252, 896, 81891, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81890, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\330\237\24\0\370\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81891, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" )  ) == 0x0
 01828   896   NtRequestWaitReplyPort  (140, {96, 120, new_msg, 0, 1252, 896, 81891, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81891, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\6\0\0\0\0\0\0\0\6\0\0\0MSDTC\0\0\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81892, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81892, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81891, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\6\0\0\0\0\0\0\0\6\0\0\0MSDTC\0\0\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81892, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01829   896   NtRequestWaitReplyPort  (140, {84, 108, new_msg, 0, 1252, 896, 81892, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81892, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81893, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81893, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81892, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81893, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" )  ) == 0x0
 01830   896   NtRequestWaitReplyPort  (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0}  (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81894, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ... {64, 88, reply, 56, 1252, 896, 81894, 0}  (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81894, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0H\246\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01831   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81893, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81893, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81895, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81895, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81893, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81895, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01832   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81895, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81895, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0H\246\24\0O\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81896, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81896, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81895, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0H\246\24\0O\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81896, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" )  ) == 0x0
 01833   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81896, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81896, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81897, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81897, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81896, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81897, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 01834   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81898, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81898, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81898, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01835   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1243000, ... ) }, 1243000, ... ) == 0x0
 01836   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 180, {status=0x0, info=1}, ) }, 7, 2113568, ... 180, {status=0x0, info=1}, ) == 0x0
 01837   896   NtSetInformationFile  (180, 1242976, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01838   896   NtClose  (180, ... ) == 0x0
 01839   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01840   896   NtQueryInformationFile  (180, 1243684, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01841   896   NtQueryInformationFile  (180, 1243600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01842   896   NtQueryInformationFile  (180, 1243416, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01843   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 01844   896   NtQueryInformationFile  (180, 1353632, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01845   896   NtQueryInformationFile  (180, 1241864, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01846   896   NtQueryInformationFile  (180, 1242140, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01847   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\WINS\DLLHOST.EXE"}, 1241336, ... ) }, 1241336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242016,  (0x40110080, {24, 0, 0x40, 0, 1242016, "\??\C:\WINDOWS\system32\wins\DLLHOST.EXE"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01849   896   NtClose  (-2147481484, ... ) == 0x0
 01848   896   NtCreateFile  ... 184, {status=0x0, info=2}, ) == 0x0
 01850   896   NtQueryVolumeInformationFile  (184, 1242168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01851   896   NtQueryInformationFile  (184, 1241752, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01852   896   NtQueryVolumeInformationFile  (180, 1242168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01853   896   NtSetInformationFile  (184, 1242068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01854   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 180, ... 188, ) == 0x0
 01855   896   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01856   896   NtClose  (188, ... ) == 0x0
 01857   896   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\250\0\0\0\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^%\35\22?KN\22?KN\22?KNK\34XN\20?KN\2217\26N\30?KNi#GN\23?KN} AN\31?KN\221#EN\23?KN} ON\21?KN\22?JNv?KN\24\34@N\20?KNRich\22?KN\0\0\0\0\0\0\0\0PE\0\0L\1\3\0irus\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0`\0\0`\220\0\0\0p\0\0\0\240\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\4\0\0\0\0\0\0\3\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\240\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0", 19968, 0x0, 0, ... {status=0x0, info=19968}, ) , 19968, 0x0, 0, ... {status=0x0, info=19968}, ) == 0x0
 01858   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01859   896   NtSetInformationFile  (184, 1243416, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01860   896   NtClose  (180, ... ) == 0x0
 01861   896   NtClose  (184, ... ) == 0x0
 01862   896   NtOpenEvent  (0x100000, {24, 100, 0x0, 0, 0,  (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 184, ) }, ... 184, ) == 0x0
 01863   896   NtWaitForSingleObject  (184, 0, {-1800000000, -1}, ... ) == 0x0
 01864   896   NtClose  (184, ... ) == 0x0
 01865   896   NtRequestWaitReplyPort  (140, {48, 72, new_msg, 0, 1252, 896, 81898, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81898, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81899, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81899, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81898, 0} "\1\356\0\0A\2\33\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81899, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01866   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81899, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81899, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\300\236\24\0\350\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81900, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" )  ... {124, 148, reply, 0, 1252, 896, 81900, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81899, 0} "\1+\0\0B\2\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0\300\236\24\0\350\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81900, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0B\0a\0s\0e\0\0\0s\0\2\0\0\0\0\0\0\0\2\0\0\0/\0\0\0" )  ) == 0x0
 01867   896   NtRequestWaitReplyPort  (140, {96, 120, new_msg, 0, 1252, 896, 81900, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81900, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\10\0\0\0\0\0\0\0\10\0\0\0Browser\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81901, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81901, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81900, 0} "\1\0\0\0A\2\34\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\10\0\0\0\0\0\0\0\10\0\0\0Browser\0\377\1\17\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81901, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01868   896   NtRequestWaitReplyPort  (140, {84, 108, new_msg, 0, 1252, 896, 81901, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81901, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81902, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81902, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81901, 0} "\1\356\0\0A\2&\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81902, 0} "\2+\263\341\4\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0(\4\0\0x~\15\0" )  ) == 0x0
 01869   896   NtRequestWaitReplyPort  (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0}  (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81903, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ... {64, 88, reply, 56, 1252, 896, 81903, 0}  (140, {64, 88, new_msg, 56, 1351976, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81903, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\234\241\24\0\1\0\0\0\240\247\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01870   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81902, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81902, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81904, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81904, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81902, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81904, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01871   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81904, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81904, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\30\220\24\0V\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81905, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81905, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81904, 0} "\1\356\0\0B\2$\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\30\220\24\0V\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81905, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x~\15\0" )  ) == 0x0
 01872   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81905, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81905, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81906, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81906, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81905, 0} "\1+\0\0A\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81906, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 01873   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81907, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81907, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81907, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01874   896   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01875   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01876   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01877   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01878   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 188, ) }, ... 188, ) == 0x0
 01879   896   NtQueryValueKey  (188,  (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01880   896   NtNotifyChangeKey  (188, 180, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01881   896   NtQueryValueKey  (188,  (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01882   896   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01883   896   NtQueryValueKey  (188,  (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01884   896   NtQueryValueKey  (188,  (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01885   896   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "Catalog_Entries"}, ... 192, ) }, ... 192, ) == 0x0
 01886   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000001"}, ... 196, ) }, ... 196, ) == 0x0
 01887   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01888   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01889   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0c\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01890   896   NtClose  (196, ... ) == 0x0
 01891   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000002"}, ... 196, ) }, ... 196, ) == 0x0
 01892   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01893   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01894   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0h\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01895   896   NtClose  (196, ... ) == 0x0
 01896   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000003"}, ... 196, ) }, ... 196, ) == 0x0
 01897   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01898   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01899   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0m\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01900   896   NtClose  (196, ... ) == 0x0
 01901   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000004"}, ... 196, ) }, ... 196, ) == 0x0
 01902   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01903   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01904   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0r\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01905   896   NtClose  (196, ... ) == 0x0
 01906   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000005"}, ... 196, ) }, ... 196, ) == 0x0
 01907   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01908   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01909   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0w\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0x\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01910   896   NtClose  (196, ... ) == 0x0
 01911   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000006"}, ... 196, ) }, ... 196, ) == 0x0
 01912   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01913   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01914   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0|\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0}\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01915   896   NtClose  (196, ... ) == 0x0
 01916   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000007"}, ... 196, ) }, ... 196, ) == 0x0
 01917   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01918   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01919   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\201\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\202\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01920   896   NtClose  (196, ... ) == 0x0
 01921   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000008"}, ... 196, ) }, ... 196, ) == 0x0
 01922   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01923   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01924   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\206\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\207\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\210\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01925   896   NtClose  (196, ... ) == 0x0
 01926   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000009"}, ... 196, ) }, ... 196, ) == 0x0
 01927   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01928   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01929   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\213\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\215\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01930   896   NtClose  (196, ... ) == 0x0
 01931   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000010"}, ... 196, ) }, ... 196, ) == 0x0
 01932   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01933   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01934   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\220\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01935   896   NtClose  (196, ... ) == 0x0
 01936   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000011"}, ... 196, ) }, ... 196, ) == 0x0
 01937   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01938   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01939   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01940   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\226\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\227\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01941   896   NtClose  (196, ... ) == 0x0
 01942   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000012"}, ... 196, ) }, ... 196, ) == 0x0
 01943   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01944   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01945   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\233\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\234\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01946   896   NtClose  (196, ... ) == 0x0
 01947   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000013"}, ... 196, ) }, ... 196, ) == 0x0
 01948   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01949   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01950   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\240\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\241\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\242\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01951   896   NtClose  (196, ... ) == 0x0
 01952   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000014"}, ... 196, ) }, ... 196, ) == 0x0
 01953   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01954   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01955   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\245\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\247\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01956   896   NtClose  (196, ... ) == 0x0
 01957   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000015"}, ... 196, ) }, ... 196, ) == 0x0
 01958   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01959   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01960   896   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01961   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\253\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01962   896   NtClose  (196, ... ) == 0x0
 01963   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000016"}, ... 196, ) }, ... 196, ) == 0x0
 01964   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01965   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01966   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\260\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01967   896   NtClose  (196, ... ) == 0x0
 01968   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000017"}, ... 196, ) }, ... 196, ) == 0x0
 01969   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01970   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01971   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\264\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\265\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\266\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\267\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01972   896   NtClose  (196, ... ) == 0x0
 01973   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000018"}, ... 196, ) }, ... 196, ) == 0x0
 01974   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01975   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01976   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\271\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\272\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\273\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\274\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01977   896   NtClose  (196, ... ) == 0x0
 01978   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000019"}, ... 196, ) }, ... 196, ) == 0x0
 01979   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01980   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01981   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\276\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\277\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01982   896   NtClose  (196, ... ) == 0x0
 01983   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000020"}, ... 196, ) }, ... 196, ) == 0x0
 01984   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01985   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01986   896   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01987   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\304\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\305\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01988   896   NtClose  (196, ... ) == 0x0
 01989   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000021"}, ... 196, ) }, ... 196, ) == 0x0
 01990   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01991   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01992   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\311\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\300\226\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\312\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\313\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01993   896   NtClose  (196, ... ) == 0x0
 01994   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000022"}, ... 196, ) }, ... 196, ) == 0x0
 01995   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01996   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01997   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\322\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hx\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\322\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hx\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\316\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\317\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\321\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\322\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hx\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01998   896   NtClose  (196, ... ) == 0x0
 01999   896   NtClose  (192, ... ) == 0x0
 02000   896   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x102
 02001   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 02002   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 196, ) }, ... 196, ) == 0x0
 02003   896   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 02004   896   NtNotifyChangeKey  (196, 192, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 02005   896   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 02006   896   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007   896   NtQueryValueKey  (196,  (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 02008   896   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "Catalog_Entries"}, ... 200, ) }, ... 200, ) == 0x0
 02009   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000001"}, ... 204, ) }, ... 204, ) == 0x0
 02010   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02011   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02012   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 02013   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 02014   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 02015   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 02016   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 02017   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02018   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 02019   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02020   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02021   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02022   896   NtClose  (204, ... ) == 0x0
 02023   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000002"}, ... 204, ) }, ... 204, ) == 0x0
 02024   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02025   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02026   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02027   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02028   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02029   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 02030   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 02031   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02032   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02033   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02034   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02035   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02036   896   NtClose  (204, ... ) == 0x0
 02037   896   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 02038   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000003"}, ... 204, ) }, ... 204, ) == 0x0
 02039   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02040   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02041   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02042   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02043   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02044   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02045   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 02046   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 02048   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02049   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02050   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02051   896   NtClose  (204, ... ) == 0x0
 02052   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000004"}, ... 204, ) }, ... 204, ) == 0x0
 02053   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02054   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02055   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02056   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02057   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02058   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02059   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 02060   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02061   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02062   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02063   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02064   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02065   896   NtClose  (204, ... ) == 0x0
 02066   896   NtClose  (200, ... ) == 0x0
 02067   896   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 02068   896   NtClose  (184, ... ) == 0x0
 02069   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02070   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02071   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 02072   896   NtQueryValueKey  (184,  (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   896   NtClose  (184, ... ) == 0x0
 02074   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 02075   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3801088, 65536, ) == 0x0
 02076   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 02077   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 200, ) == 0x0
 02078   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 02079   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02080   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 02081   896   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0
 02082   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02083   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02084   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02085   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02086   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02087   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02088   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02089   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02090   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02091   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02092   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02093   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02094   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02095   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02096   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02097   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02098   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02099   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02100   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02101   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02102   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02103   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02104   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02105   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02106   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02107   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02108   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02109   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02110   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02111   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02112   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02113   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02114   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02115   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02116   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02117   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02118   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02119   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02120   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02121   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02122   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02123   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02124   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02125   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02126   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02127   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02128   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02129   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02130   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02131   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02132   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02133   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02134   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02135   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02136   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02137   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02138   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02139   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02140   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02141   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02142   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02143   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02144   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02145   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02146   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02147   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02148   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02149   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02150   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02151   896   NtClose  (200, ... ) == 0x0
 02152   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 1244192, ... ) }, 1244192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\MSBLAST.EXE"}, 1243984, ... ) }, 1243984, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02154   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02155   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\MSBLAST.EXE"}, 1244016, ... ) }, 1244016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   896   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 02158   896   NtAllocateVirtualMemory  (-1, 9437184, 0, 72104, 4096, 4, ... 9437184, 73728, ) == 0x0
 02159   896   NtDelayExecution  (0, {-1000000, -1}, ... ) == 0x0
 02160   896   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 02161   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02162   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 02163   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0
 02164   896   NtClose  (200, ... ) == 0x0
 02165   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 245760, ) == 0x0
 02166   896   NtClose  (204, ... ) == 0x0
 02167   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02168   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0
 02169   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 02170   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 02171   896   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02172   896   NtClose  (204, ... ) == 0x0
 02173   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 02174   896   NtClose  (200, ... ) == 0x0
 02175   896   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02176   896   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02177   896   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02178   896   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02179   896   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02180   896   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02181   896   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02182   896   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02183   896   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02184   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02186   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02187   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 02188   896   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 02189   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1240768, ... ) }, 1240768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 1240768, ... ) }, 1240768, ... ) == 0x0
 02192   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 02193   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 02194   896   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02195   896   NtClose  (204, ... ) == 0x0
 02196   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 02197   896   NtClose  (208, ... ) == 0x0
 02198   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02199   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02200   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02201   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02202   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02203   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02204   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02205   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02206   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02207   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02208   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02209   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02210   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02211   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02212   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02213   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02214   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02215   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02216   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   896   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 02218   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02219   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   896   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   896   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   896   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   896   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02224   896   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   896   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   896   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   896   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   896   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02229   896   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   896   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231   896   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   896   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   896   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   896   NtQueryValueKey  (204,  (204, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   896   NtQueryValueKey  (204,  (204, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   896   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   896   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   896   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02239   896   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   896   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   896   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02242   896   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   896   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02244   896   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   896   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   896   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02247   896   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02248   896   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02249   896   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02250   896   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02251   896   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   896   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253   896   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02254   896   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02255   896   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02256   896   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02257   896   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02258   896   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02259   896   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   896   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   896   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262   896   NtQueryValueKey  (204,  (204, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   896   NtQueryValueKey  (204,  (204, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02265   896   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02266   896   NtClose  (212, ... ) == 0x0
 02267   896   NtClose  (208, ... ) == 0x0
 02268   896   NtClose  (204, ... ) == 0x0
 02269   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02270   896   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02271   896   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272   896   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02273   896   NtClose  (204, ... ) == 0x0
 02274   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 02275   896   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1241228, 188, ... 208, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241228, 188, ... 208, 0x0, 0x0, 0x0, 188, ) == 0x0
 02276   896   NtRequestWaitReplyPort  (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721}  (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\300\24\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81909, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\300\24\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 896, 81909, 0}  (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\300\24\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81909, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\300\24\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0y\17~\323\204\346G\371\270\24\25\0h\1\24\0\12\0\0\0\0\0\0\0\270\24\25\0(\0\0\0\300\24\25\0\355y\36\17x\1\24\0(\0\0\0\376\317\0\0\0\0\24\0\350\356\22\0\273\331r4\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02277   896   NtRequestWaitReplyPort  (208, {64, 88, new_msg, 0, 0, 0, 0, 0}  (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 896, 81910, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ... {52, 76, reply, 0, 1252, 896, 81910, 0}  (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 896, 81910, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02278   896   NtClose  (204, ... ) == 0x0
 02279   896   NtClose  (208, ... ) == 0x0
 02280   896   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 02281   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02282   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   896   NtQueryValueKey  (208,  (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02284   896   NtQueryValueKey  (208,  (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02285   896   NtClose  (208, ... ) == 0x0
 02286   896   NtClose  (204, ... ) == 0x0
 02287   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 02288   896   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1241076, 188, ... 208, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241076, 188, ... 208, 0x0, 0x0, 0x0, 188, ) == 0x0
 02289   896   NtRequestWaitReplyPort  (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721}  (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81913, 0} "\7\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 896, 81913, 0}  (208, {200, 224, new_msg, 0, 1344344, 12, 2, 1310721} "\0\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81913, 0} "\7\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\217K&\320\322%\30[\236-\241\237H\35\14\222\12\0\0\0\245-\31r\367\204\252a\0\0\0\0@\22\25\09\302\300\37\262\372\204X(\0\0\0\261\243\0\213\0\0\24\0P\356\22\0\217\327\263\373\0\0\0\0@\7\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02290   896   NtRequestWaitReplyPort  (208, {44, 68, new_msg, 0, 1252, 896, 81910, 0}  (208, {44, 68, new_msg, 0, 1252, 896, 81910, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81914, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" )  ... {40, 64, reply, 0, 1252, 896, 81914, 0}  (208, {44, 68, new_msg, 0, 1252, 896, 81910, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81914, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02291   896   NtRequestWaitReplyPort  (208, {64, 88, new_msg, 56, 1349616, 1241588, 1241688, 0}  (208, {64, 88, new_msg, 56, 1349616, 1241588, 1241688, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" ... {64, 88, reply, 56, 1252, 896, 81915, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" )  ... {64, 88, reply, 56, 1252, 896, 81915, 0}  (208, {64, 88, new_msg, 56, 1349616, 1241588, 1241688, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" ... {64, 88, reply, 56, 1252, 896, 81915, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vd\230\24\0\1\0\0\0\20\26\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\22\25\0" )  ) == 0x0
 02292   896   NtClose  (204, ... ) == 0x0
 02293   896   NtClose  (208, ... ) == 0x0
 02294   896   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 02295   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02296   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   896   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02299   896   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02300   896   NtClose  (208, ... ) == 0x0
 02301   896   NtClose  (204, ... ) == 0x0
 02302   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02303   896   NtQueryValueKey  (204,  (204, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02304   896   NtClose  (204, ... ) == 0x0
 02305   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02306   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 02307   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 208, ) == 0x0
 02308   896   NtClose  (204, ... ) == 0x0
 02309   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 20480, ) == 0x0
 02310   896   NtClose  (208, ... ) == 0x0
 02311   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02312   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0
 02313   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02314   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 02315   896   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02316   896   NtClose  (208, ... ) == 0x0
 02317   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02318   896   NtClose  (204, ... ) == 0x0
 02319   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02320   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02321   896   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02322   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02323   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02324   896   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02325   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WLDAP32.dll"}, ... 204, ) }, ... 204, ) == 0x0
 02326   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02327   896   NtClose  (204, ... ) == 0x0
 02328   896   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02329   896   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02330   896   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02331   896   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02332   896   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02333   896   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02334   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02335   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02336   896   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02337   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02338   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 02339   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 208, ) }, ... 208, ) == 0x0
 02340   896   NtQueryValueKey  (208,  (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02341   896   NtClose  (208, ... ) == 0x0
 02342   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   896   NtQueryPerformanceCounter  (... {-1446884868, 16}, {3579545, 0}, ) == 0x0
 02344   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02345   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02346   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 02347   896   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 02348   896   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 02349   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02350   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02351   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 208, ... 212, ) == 0x0
 02352   896   NtClose  (208, ... ) == 0x0
 02353   896   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 110592, ) == 0x0
 02354   896   NtClose  (212, ... ) == 0x0
 02355   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02356   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0
 02357   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02358   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 02359   896   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02360   896   NtClose  (212, ... ) == 0x0
 02361   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02362   896   NtClose  (208, ... ) == 0x0
 02363   896   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02364   896   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02365   896   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02366   896   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02367   896   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02368   896   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02369   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02370   896   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02371   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240148, ... ) }, 1240148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02372   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1240148, ... ) }, 1240148, ... ) == 0x0
 02373   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02374   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 02375   896   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02376   896   NtClose  (208, ... ) == 0x0
 02377   896   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02378   896   NtClose  (212, ... ) == 0x0
 02379   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02380   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02381   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02382   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02383   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02384   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02385   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02386   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02387   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02388   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02389   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02390   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02391   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02392   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02393   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02394   896   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02395   896   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02396   896   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02397   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   896   NtQueryDefaultUILanguage  (2090319928, ...
 02399   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02400   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482760, ) == 0x0
 02401   896   NtQueryInformationToken  (-2147482760, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02402   896   NtClose  (-2147482760, ... ) == 0x0
 02403   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482760, ) }, ... -2147482760, ) == 0x0
 02404   896   NtOpenKey  (0x80000000, {24, -2147482760, 0x240, 0, 0,  (0x80000000, {24, -2147482760, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   896   NtOpenKey  (0x80000000, {24, -2147482760, 0x640, 0, 0,  (0x80000000, {24, -2147482760, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482680, ) }, ... -2147482680, ) == 0x0
 02406   896   NtQueryValueKey  (-2147482680,  (-2147482680, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02407   896   NtClose  (-2147482680, ... ) == 0x0
 02408   896   NtClose  (-2147482760, ... ) == 0x0
 02398   896   NtQueryDefaultUILanguage  ... ) == 0x0
 02409   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02410   896   NtQueryDefaultLocale  (1, 1240868, ... ) == 0x0
 02411   896   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02412   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02413   896   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02414   896   NtClose  (212, ... ) == 0x0
 02415   896   NtUserGetProcessWindowStation  (... ) == 0x14
 02416   896   NtUserGetObjectInformation  (20, 1, 1240464, 12, 1240476, ... ) == 0x1
 02417   896   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\WPA\PnP"}, ... 212, ) }, ... 212, ) == 0x0
 02419   896   NtQueryValueKey  (212,  (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02420   896   NtClose  (212, ... ) == 0x0
 02421   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02422   896   NtQueryValueKey  (212,  (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02423   896   NtQueryValueKey  (212,  (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02424   896   NtClose  (212, ... ) == 0x0
 02425   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02426   896   NtQueryValueKey  (212,  (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02427   896   NtQueryValueKey  (212,  (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02428   896   NtClose  (212, ... ) == 0x0
 02429   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02430   896   NtQueryValueKey  (212,  (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02431   896   NtQueryValueKey  (212,  (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02432   896   NtClose  (212, ... ) == 0x0
 02433   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02434   896   NtQueryValueKey  (212,  (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02435   896   NtQueryValueKey  (212,  (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02436   896   NtClose  (212, ... ) == 0x0
 02437   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02438   896   NtQueryValueKey  (212,  (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02439   896   NtQueryValueKey  (212,  (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02440   896   NtClose  (212, ... ) == 0x0
 02441   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02442   896   NtQueryValueKey  (212,  (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02443   896   NtQueryValueKey  (212,  (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02444   896   NtClose  (212, ... ) == 0x0
 02445   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 212, ) }, ... 212, ) == 0x0
 02446   896   NtQueryValueKey  (212,  (212, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02447   896   NtQueryValueKey  (212,  (212, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (212, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02448   896   NtClose  (212, ... ) == 0x0
 02449   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 02450   896   NtCreateMutant  (0x1f0001, 0x0, 0, ... 208, ) == 0x0
 02451   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 02452   896   NtCreateMutant  (0x1f0001, 0x0, 0, ... 220, ) == 0x0
 02453   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 02454   896   NtCreateMutant  (0x1f0001, 0x0, 0, ... 228, ) == 0x0
 02455   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 232, ) }, ... 232, ) == 0x0
 02456   896   NtQueryValueKey  (232,  (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02457   896   NtQueryValueKey  (232,  (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02458   896   NtQueryValueKey  (232,  (232, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02459   896   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02460   896   NtClose  (232, ... ) == 0x0
 02461   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1240380, ... ) }, 1240380, ... ) == 0x0
 02462   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 232, ) }, ... 232, ) == 0x0
 02463   896   NtQueryValueKey  (232,  (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02464   896   NtClose  (232, ... ) == 0x0
 02465   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 02466   896   NtQueryValueKey  (232,  (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02467   896   NtClose  (232, ... ) == 0x0
 02468   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 02470   896   NtQueryValueKey  (232,  (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02471   896   NtClose  (232, ... ) == 0x0
 02472   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02473   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 232, ) == 0x0
 02474   896   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1240880, 188, ... 236, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1240880, 188, ... 236, 0x0, 0x0, 0x0, 188, ) == 0x0
 02475   896   NtRequestWaitReplyPort  (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2}  (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@ (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0(\0\0\0H (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 1252, 896, 81918, 0}  (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0h\1\24\0\12\0\0\0\0\0\0\0@ (236, {200, 224, new_msg, 0, 3276848, 1385072, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0H"\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81918, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\371\322\331\360\213\320\253&@"\25\0h\1\24\0\12\0\0\0\0\0\0\0@"\25\0(\0\0\0H"\25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0k\224\202\234x\1\24\0(\0\0\0\344X\0\0\0\0\24\0\214\355\22\0\374\325\247\276\0\0\0\0P\32\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) == 0x0
 02476   896   NtRequestWaitReplyPort  (236, {96, 120, new_msg, 0, 1252, 896, 81914, 0}  (236, {96, 120, new_msg, 0, 1252, 896, 81914, 0} "\1\356\0\0A\2\11\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0,h\24\0\16\0\0\0\0\0\0\0\16\0\0\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 1252, 896, 81919, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 1252, 896, 81919, 0}  (236, {96, 120, new_msg, 0, 1252, 896, 81914, 0} "\1\356\0\0A\2\11\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0,h\24\0\16\0\0\0\0\0\0\0\16\0\0\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 1252, 896, 81919, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02477   896   NtClose  (232, ... ) == 0x0
 02478   896   NtClose  (236, ... ) == 0x0
 02479   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Linkage"}, ... 236, ) }, ... 236, ) == 0x0
 02480   896   NtQueryValueKey  (236,  (236, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02481   896   NtQueryValueKey  (236,  (236, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02482   896   NtQueryValueKey  (236,  (236, "Export", Partial, 958, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0C\09\0C\0-\0E\0E\0A\0F\0B\07\06\0F\0F\0A\02\0F\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\08\02\00\0-\09\02\07\0E\02\00\07\06\00\0A\0B\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0\0\0\0\0\276\3\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\260"\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\264\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0&#\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) , Partial, 958, ... TitleIdx=0, Type=7, Data= (236, "Export", Partial, 958, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0C\09\0C\0-\0E\0E\0A\0F\0B\07\06\0F\0F\0A\02\0F\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\08\02\00\0-\09\02\07\0E\02\00\07\06\00\0A\0B\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0\0\0\0\0\276\3\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\260"\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\264\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0&#\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) \25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\264\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0&#\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) == 0x0
 02483   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{FCC03A41-8CCC-4919-A472-69728EB8A7D7}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02484   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{AE7421B5-732D-4567-A6C1-5425C0DE27B6}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02485   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{97C2D9F4-6954-4EB3-8C9C-EEAFB76FFA2F}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02486   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{0D430A6F-0410-4A68-9820-927E20760AB4}"}, 0x0, 0, 3, 3, 0, 0, 0, ... 232, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 0, 0, ... 232, {status=0x0, info=0}, ) == 0x0
 02487   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{8AD4D806-081B-4446-A4DB-6273DFAED94F}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02488   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{E559B0C1-FA46-464D-B965-7E2AC2627EE9}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02489   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{CD3C64B8-DB76-44C8-9C02-70E6C1185259}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02490   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{21B8E9D5-3FC3-4F9D-8FA8-4CA01330DCD8}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02491   896   NtClose  (236, ... ) == 0x0
 02492   896   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 236, ) == 0x0
 02493   896   NtDeviceIoControlFile  (232, 236, 0x0, 0x0, 0x210096,  (232, 236, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0MICROSOFT.COM  \0", 24, 1160, ... {status=0x140178, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x140178, info=1311096},  (232, 236, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0MICROSOFT.COM  \0", 24, 1160, ... {status=0x140178, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02494   896   NtWaitForMultipleObjects  (1, (236, ), 1, 0, 0x0, ... ) == 0x0
 02495   896   NtClose  (236, ... ) == 0x0
 02496   896   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 236, ) }, ... 236, ) == 0x0
 02497   896   NtQueryValueKey  (236,  (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02498   896   NtQueryValueKey  (236,  (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02499   896   NtQueryValueKey  (236,  (236, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   896   NtClose  (236, ... ) == 0x0
 02501   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 1241712, ... ) }, 1241712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02503   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 1241712, ... ) }, 1241712, ... ) == 0x0
 02504   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02505   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 240, ) == 0x0
 02506   896   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02507   896   NtClose  (236, ... ) == 0x0
 02508   896   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 24576, ) == 0x0
 02509   896   NtClose  (240, ... ) == 0x0
 02510   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02511   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02512   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02513   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02514   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02515   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02516   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02517   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02518   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02519   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02520   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02521   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02522   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02523   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02524   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02525   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02526   896   NtQueryPerformanceCounter  (... {-1438799449, 16}, {3579545, 0}, ) == 0x0
 02527   896   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 240, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 240, {status=0x0, info=0}, ) == 0x0
 02528   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 236, ) == 0x0
 02529   896   NtDeviceIoControlFile  (240, 236, 0x0, 0x0, 0xf14014,  (240, 236, 0x0, 0x0, 0xf14014, "\3\0\0\0microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02530   896   NtClose  (236, ... ) == 0x0
 02531   896   NtClose  (240, ... ) == 0x0
 02532   896   NtDelayExecution  (0, {-1705032704, -2}, ...
NtAddAtom(>)	1	NtUserGetObjectInformation(>)	1	NtOpenEvent(>)	4	NtCreateEvent(>)	26
NtAdjustPrivilegesToken(>)	1	NtUserGetProcessWindowStation(>)	1	NtQueryPerformanceCounter(>)	4	NtFreeVirtualMemory(>)	28
NtCallbackReturn(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtOpenProcess(>)	29
NtCreateThread(>)	1	NtAccessCheck(>)	2	NtFsControlFile(>)	5	NtOpenFile(>)	30
NtEnumerateValueKey(>)	1	NtContinue(>)	2	NtGdiGetStockObject(>)	5	NtCreateFile(>)	31
NtGdiCreateBitmap(>)	1	NtCreateIoCompletion(>)	2	NtOpenProcessToken(>)	5	NtUserFindExistingCursorIcon(>)	34
NtGdiInit(>)	1	NtEnumerateKey(>)	2	NtSetInformationFile(>)	5	NtRequestWaitReplyPort(>)	39
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultUILanguage(>)	6	NtUserRegisterClassExWOW(>)	42
NtGdiSelectBitmap(>)	1	NtNotifyChangeKey(>)	2	NtQueryVolumeInformationFile(>)	6	NtQueryVirtualMemory(>)	54
NtOpenKeyedEvent(>)	1	NtOpenDirectoryObject(>)	2	NtWaitForSingleObject(>)	6	NtOpenSection(>)	57
NtOpenSymbolicLinkObject(>)	1	NtOpenThreadToken(>)	2	NtCreateMutant(>)	7	NtCreateSection(>)	76
NtQueryInstallUILanguage(>)	1	NtQueryKey(>)	2	NtQueryInformationProcess(>)	7	NtQueryAttributesFile(>)	77
NtQueryObject(>)	1	NtReadFile(>)	2	NtUserSystemParametersInfo(>)	7	NtQuerySystemInformation(>)	82
NtQuerySymbolicLinkObject(>)	1	NtUserRegisterWindowMessage(>)	2	NtQueryDebugFilterState(>)	8	NtUnmapViewOfSection(>)	82
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	2	NtSetValueKey(>)	8	NtAllocateVirtualMemory(>)	95
NtRegisterThreadTerminatePort(>)	1	NtWriteFile(>)	2	NtOpenProcessTokenEx(>)	9	NtFlushInstructionCache(>)	101
NtResumeThread(>)	1	NtCreateSemaphore(>)	3	NtOpenThreadTokenEx(>)	9	NtWriteVirtualMemory(>)	116
NtSecureConnectPort(>)	1	NtDelayExecution(>)	3	NtQueryInformationFile(>)	9	NtMapViewOfSection(>)	142
NtSetInformationProcess(>)	1	NtDuplicateObject(>)	3	NtCreateKey(>)	11	NtOpenKey(>)	190
NtTestAlert(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryInformationToken(>)	12	NtQueryValueKey(>)	256
NtUserCallNoParam(>)	1	NtQueryDefaultLocale(>)	3	NtQuerySection(>)	13	NtProtectVirtualMemory(>)	319
NtUserCallOneParam(>)	1	NtSetInformationThread(>)	3	NtQueryDirectoryFile(>)	14	NtClose(>)	379
NtUserGetDC(>)	1	NtConnectPort(>)	4	NtDeviceIoControlFile(>)	24