Summary:


NtAddAtom(>)  1 
NtUserGetObjectInformation(>)  1 
NtOpenEvent(>)  4 
NtCreateEvent(>)  26 

NtAdjustPrivilegesToken(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtQueryPerformanceCounter(>)  4 
NtFreeVirtualMemory(>)  28 

NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtOpenProcess(>)  29 

NtCreateThread(>)  1 
NtAccessCheck(>)  2 
NtFsControlFile(>)  5 
NtOpenFile(>)  30 

NtEnumerateValueKey(>)  1 
NtContinue(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  31 

NtGdiCreateBitmap(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  5 
NtUserFindExistingCursorIcon(>)  34 

NtGdiInit(>)  1 
NtEnumerateKey(>)  2 
NtSetInformationFile(>)  5 
NtRequestWaitReplyPort(>)  39 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtQueryAttributesFile(>)  41 

NtGdiSelectBitmap(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserRegisterClassExWOW(>)  42 

NtOpenKeyedEvent(>)  1 
NtOpenDirectoryObject(>)  2 
NtWaitForSingleObject(>)  6 
NtQueryVirtualMemory(>)  54 

NtOpenSymbolicLinkObject(>)  1 
NtOpenThreadToken(>)  2 
NtCreateMutant(>)  7 
NtOpenSection(>)  55 

NtQueryInstallUILanguage(>)  1 
NtQueryKey(>)  2 
NtQueryInformationProcess(>)  7 
NtCreateSection(>)  76 

NtQueryObject(>)  1 
NtReadFile(>)  2 
NtUserSystemParametersInfo(>)  7 
NtQuerySystemInformation(>)  82 

NtQuerySymbolicLinkObject(>)  1 
NtUserRegisterWindowMessage(>)  2 
NtQueryDebugFilterState(>)  8 
NtUnmapViewOfSection(>)  82 

NtQuerySystemTime(>)  1 
NtWaitForMultipleObjects(>)  2 
NtSetValueKey(>)  8 
NtAllocateVirtualMemory(>)  95 

NtRegisterThreadTerminatePort(>)  1 
NtWriteFile(>)  2 
NtOpenProcessTokenEx(>)  9 
NtFlushInstructionCache(>)  101 

NtResumeThread(>)  1 
NtCreateSemaphore(>)  3 
NtOpenThreadTokenEx(>)  9 
NtWriteVirtualMemory(>)  116 

NtSecureConnectPort(>)  1 
NtDelayExecution(>)  3 
NtQueryInformationFile(>)  9 
NtMapViewOfSection(>)  142 

NtSetInformationProcess(>)  1 
NtDuplicateObject(>)  3 
NtCreateKey(>)  11 
NtOpenKey(>)  190 

NtTestAlert(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationToken(>)  12 
NtQueryValueKey(>)  256 

NtUserCallNoParam(>)  1 
NtQueryDefaultLocale(>)  3 
NtQuerySection(>)  13 
NtProtectVirtualMemory(>)  319 

NtUserCallOneParam(>)  1 
NtSetInformationThread(>)  3 
NtQueryDirectoryFile(>)  14 
NtClose(>)  379 

NtUserGetDC(>)  1 
NtConnectPort(>)  4 
NtDeviceIoControlFile(>)  24 

Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482756, {status=0x0, info=1}, ) }, 0, 32, ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482756, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482756, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482756, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482756, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482756, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482756, 0, 0x0, 0x0, 0x90120,  (-2147482756, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00059   896   NtClose  (-2147482104, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482592, ) == 0x0
 00061   896   NtClose  (-2147482592, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482592, ... -2147481624, ) == 0x0
 00063   896   NtClose  (-2147481624, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481624, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147482104, ... ) == 0x0
 00105   896   NtClose  (-2147482592, ... ) == 0x0
 00106   896   NtClose  (-2147481624, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481624, ) == 0x0
 00145   896   NtClose  (-2147481624, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481624, ... -2147482592, ) == 0x0
 00147   896   NtClose  (-2147482592, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482592, ... -2147482104, ) == 0x0
 00149   896   NtClose  (-2147482104, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482104, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481624, ... ) == 0x0
 00178   896   NtClose  (-2147482592, ... ) == 0x0
 00179   896   NtClose  (-2147482104, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482756, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 8, ) }, ... 8, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) }, ... 12, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) }, ... 16, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (16, ...  (16, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (16, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 16, {status=0x0, info=1}, ) }, 3, 33, ... 16, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (16, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "kernel32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00204   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (20, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 20, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 28, {24, 20, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 28, {24, 20, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (20, ... ) == 0x0
 00215   896   NtQueryObject  (28, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (28, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 20, ) }, ... 20, ) == 0x0
 00224   896   NtQueryValueKey  (20,  (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (20, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 20, ) }, ... 20, ) == 0x0
 00227   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (20, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 20, ) }, ... 20, ) == 0x0
 00231   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (20, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 20, ) }, ... 20, ) == 0x0
 00234   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (20, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (20, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 20, ) }, ... 20, ) == 0x0
 00238   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (20, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtWaitForMultipleObjects  (2, (20, 32, ), 1, 0, 0x0, ... ) == 0x0
 00247   896   NtClose  (20, ... ) == 0x0
 00248   896   NtClose  (32, ... ) == 0x0
 00249   896   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0<\0\0\0\0\0" ... {24, 52, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0<\0\0\0\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81834, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0<\0\0\0\0\0" ... {24, 52, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0<\0\0\0\0\0" )  ) == 0x0
 00250   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 128, ) == 0x0
 00251   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 128, ... (0x40a000), 32768, 4, ) == 0x0
 00252   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00253   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00254   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00255   896   NtClose  (32, ... ) == 0x0
 00256   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00257   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00258   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00259   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00260   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00261   896   NtClose  (32, ... ) == 0x0
 00262   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00263   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00264   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00265   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00266   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00267   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00268   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00269   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00270   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00271   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00272   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00273   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00274   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 64, ) == 0x0
 00275   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 64, ... (0x40a000), 32768, 4, ) == 0x0
 00276   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00277   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ICMP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00279   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ICMP.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   896   NtFsControlFile  (16, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00281   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ICMP.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00282   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ICMP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00283   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00284   896   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00285   896   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00286   896   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00289   896   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00290   896   NtClose  (48, ... ) == 0x0
 00291   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00292   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00293   896   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00294   896   NtClose  (48, ... ) == 0x0
 00295   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   896   NtClose  (44, ... ) == 0x0
 00297   896   NtClose  (32, ... ) == 0x0
 00298   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 00299   896   NtClose  (20, ... ) == 0x0
 00300   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 64, ) == 0x0
 00301   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242264, ... ) }, 1242264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242264, ... ) }, 1242264, ... ) == 0x0
 00304   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00305   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 32, ) == 0x0
 00306   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00307   896   NtClose  (20, ... ) == 0x0
 00308   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00309   896   NtClose  (32, ... ) == 0x0
 00310   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00311   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00312   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00313   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00314   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00315   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00316   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00317   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00318   896   NtClose  (32, ... ) == 0x0
 00319   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00320   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00321   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00322   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00323   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00324   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00325   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00326   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00327   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00328   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "USER32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00329   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00330   896   NtClose  (32, ... ) == 0x0
 00331   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00332   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00333   896   NtClose  (32, ... ) == 0x0
 00334   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00335   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00336   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00337   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00338   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00339   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00340   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00341   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00342   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00343   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00344   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00345   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00346   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00347   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00348   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00349   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00350   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00351   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00352   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00353   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00354   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00355   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 00358   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00359   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00360   896   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00361   896   NtClose  (32, ... ) == 0x0
 00362   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00363   896   NtClose  (20, ... ) == 0x0
 00364   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00365   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00366   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00367   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240660, ... ) }, 1240660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1240660, ... ) }, 1240660, ... ) == 0x0
 00370   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00371   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 32, ) == 0x0
 00372   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00373   896   NtClose  (20, ... ) == 0x0
 00374   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00375   896   NtClose  (32, ... ) == 0x0
 00376   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00377   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00378   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00379   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00380   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00381   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00382   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00383   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00384   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00385   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 64, ... (0x40a000), 32768, 4, ) == 0x0
 00386   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00387   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 64, ) == 0x0
 00388   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 64, ... (0x40a000), 32768, 4, ) == 0x0
 00389   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00390   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "urlmon.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00391   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42cf0000), 0x0, 1208320, ) == 0x0
 00392   896   NtClose  (32, ... ) == 0x0
 00393   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00394   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00395   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00396   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00397   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00398   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00399   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ole32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00400   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00401   896   NtClose  (32, ... ) == 0x0
 00402   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00403   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00404   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00405   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00406   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00407   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00408   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00409   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00410   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00411   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00412   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00413   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00414   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00415   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00416   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00417   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00418   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00419   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00420   896   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00421   896   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00422   896   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00423   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00424   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00425   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00426   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "OLEAUT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00427   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00428   896   NtClose  (32, ... ) == 0x0
 00429   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00430   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00431   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00432   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00433   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00434   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00435   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00436   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00437   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00438   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00439   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00440   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00441   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00442   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00443   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00444   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00445   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00446   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00447   896   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00448   896   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00449   896   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00450   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00451   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00452   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00453   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00454   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00455   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00456   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "SHLWAPI.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00457   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00458   896   NtClose  (32, ... ) == 0x0
 00459   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00460   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00461   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00462   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00463   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00464   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00465   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00466   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00467   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00468   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00469   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00470   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00471   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00472   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00473   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00474   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00475   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00476   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00477   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00478   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00479   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00480   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00481   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00482   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00483   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00484   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00485   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00486   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "iertutil.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00487   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00488   896   NtClose  (32, ... ) == 0x0
 00489   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00490   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00491   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00492   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00493   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00494   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00495   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00496   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00497   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00498   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00499   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00500   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00501   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00502   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00503   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00504   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00505   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00506   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00507   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0
 00508   896   NtProtectVirtualMemory  (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0
 00509   896   NtFlushInstructionCache  (-1, 1120866304, 2148, ... ) == 0x0
 00510   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 64, ) == 0x0
 00511   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 64, ... (0x40a000), 32768, 4, ) == 0x0
 00512   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00513   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 64, ) == 0x0
 00514   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 64, ... (0x40a000), 32768, 4, ) == 0x0
 00515   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00516   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 4, ... (0x40a000), 32768, 64, ) == 0x0
 00517   896   NtProtectVirtualMemory  (-1, (0x40a000), 32768, 64, ... (0x40a000), 32768, 4, ) == 0x0
 00518   896   NtFlushInstructionCache  (-1, 4235264, 32768, ... ) == 0x0
 00519   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00520   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00521   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00522   896   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00523   896   NtClose  (32, ... ) == 0x0
 00524   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00525   896   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00526   896   NtClose  (32, ... ) == 0x0
 00527   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00530   896   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00531   896   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00532   896   NtClose  (32, ... ) == 0x0
 00533   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00534   896   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   896   NtClose  (32, ... ) == 0x0
 00536   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00537   896   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00538   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00541   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00542   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00543   896   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00544   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1325904}  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1325904} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0 \0\0\0\1\0<\0\3\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0\1\0\0\0\1\0<\0\3\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81835, 0}  (28, {28, 56, new_msg, 0, 1311080, 0, 0, 1325904} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0 \0\0\0\1\0<\0\3\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\24\0\1\0\0\0\1\0<\0\3\0\0\0" )  ) == 0x0
 00545   896   NtQueryVolumeInformationFile  (4, 1243360, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00546   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0}  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0} "\0\0\0\0#\2\2\0\340\312\227|\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81836, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81836, 0}  (28, {28, 56, new_msg, 0, 2089884154, 3284816, 1, 0} "\0\0\0\0#\2\2\0\340\312\227|\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81836, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\22\0\1\0\0\0\1\0<\0\13\0\0\0" )  ) == 0x0
 00547   896   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00548   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 20, ) }, ... 20, ) == 0x0
 00549   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00550   896   NtClose  (20, ... ) == 0x0
 00551   896   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00552   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00553   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00554   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00555   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00556   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00559   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (28, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81837, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81837, 0}  (28, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81837, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00560   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 20, ) }, ... 20, ) == 0x0
 00561   896   NtQueryValueKey  (20,  (20, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   896   NtClose  (20, ... ) == 0x0
 00563   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00564   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00565   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00566   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 20, ... 44, ) == 0x0
 00567   896   NtClose  (20, ... ) == 0x0
 00568   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00569   896   NtClose  (44, ... ) == 0x0
 00570   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00571   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00572   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00573   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 20, ) == 0x0
 00574   896   NtClose  (44, ... ) == 0x0
 00575   896   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00576   896   NtClose  (20, ... ) == 0x0
 00577   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00578   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00579   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00580   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 44, ) == 0x0
 00581   896   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00582   896   NtClose  (20, ... ) == 0x0
 00583   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00584   896   NtClose  (44, ... ) == 0x0
 00585   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00586   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00587   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00588   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00589   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00590   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00591   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00592   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00593   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00594   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00596   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00597   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00598   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00599   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00610   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 44, ) }, ... 44, ) == 0x0
 00612   896   NtQueryValueKey  (44,  (44, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   896   NtClose  (44, ... ) == 0x0
 00614   896   NtMapViewOfSection  (-2147482756, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00615   896   NtClose  (-2147482756, ... ) == 0x0
 00616   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00617   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00618   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482756, ) == 0x0
 00619   896   NtQueryInformationToken  (-2147482756, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00620   896   NtQueryInformationToken  (-2147482756, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00621   896   NtClose  (-2147482756, ... ) == 0x0
 00622   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00623   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00624   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00625   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   896   NtClose  (-2147482756, ... ) == 0x0
 00627   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00628   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   896   NtClose  (-2147482756, ... ) == 0x0
 00630   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00631   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00632   896   NtUserCallNoParam  (24, ... ) == 0x0
 00633   896   NtGdiCreateCompatibleDC  (0, ...
 00634   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00633   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00635   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00636   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00637   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00638   896   NtGdiCreateSolidBrush  (0, 0, ...
 00639   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00638   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00640   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00641   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00642   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00643   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x30
 00644   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00645   896   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00646   896   NtClose  (52, ... ) == 0x0
 00647   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00648   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8177c017
 00649   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00650   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8177c01c
 00651   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00652   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8177c01e
 00653   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00654   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81778002
 00655   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00656   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8177c018
 00657   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00658   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8177c01a
 00659   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00660   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8177c01d
 00661   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00662   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8177c026
 00663   896   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00664   896   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8177c019
 00665   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c020
 00666   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c022
 00667   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c023
 00668   896   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c024
 00669   896   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c025
 00670   896   NtCallbackReturn  (0, 0, 0, ...
 00671   896   NtGdiInit  (... ) == 0x1
 00672   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00673   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00674   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00675   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00676   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00677   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3538944, 65536, ) == 0x0
 00678   896   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00679   896   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ... 3543040, 8192, ) == 0x0
 00680   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) == 0x0
 00681   896   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00682   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 60, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 60, {status=0x0, info=0}, ) == 0x0
 00683   896   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 64, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 64, {status=0x0, info=0}, ) == 0x0
 00684   896   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1243288,  (0x20100080, {24, 0, 0x40, 0, 1243288, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00685   896   NtAllocateVirtualMemory  (-1, 3551232, 0, 36864, 4096, 4, ... 3551232, 36864, ) == 0x0
 00686   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00687   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00688   896   NtClose  (72, ... ) == 0x0
 00689   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00690   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 00691   896   NtClose  (72, ... ) == 0x0
 00692   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00693   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363[\201\1\0\0\0\5\0\0\0\232A\250\25\360\11\241\6^\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\51k\0\341\221\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363[\201\1\0\0\0\5\0\0\0\232A\250\25\360\11\241\6^\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\51k\0\341\221\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 00694   896   NtClose  (72, ... ) == 0x0
 00695   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00696   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00697   896   NtClose  (72, ... ) == 0x0
 00698   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00699   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 00700   896   NtClose  (72, ... ) == 0x0
 00701   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00702   896   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 00703   896   NtClose  (72, ... ) == 0x0
 00704   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00705   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00706   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00707   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00708   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00709   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00710   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00711   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00712   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00713   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00714   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00715   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00716   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00717   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00718   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00719   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00720   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00721   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00722   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00723   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00724   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00725   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00726   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00727   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00728   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00729   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00730   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00731   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00732   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00733   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00734   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00735   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00736   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00737   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00738   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00739   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00740   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00741   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00742   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00743   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00744   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00745   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00746   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00747   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00748   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00749   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00750   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00751   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00752   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00753   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00754   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00755   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00756   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00757   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00758   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00759   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00760   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00761   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00762   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00763   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00764   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00765   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00766   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00767   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00768   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00769   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00770   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00771   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00772   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00773   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00774   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00775   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00776   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00777   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00778   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00779   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00780   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00781   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00782   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00783   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00784   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00785   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00786   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00787   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00788   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00789   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00790   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00791   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00792   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00793   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00794   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00795   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00796   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00797   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00798   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00799   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00800   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00801   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00802   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00803   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00804   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00805   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00806   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00807   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00808   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00809   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00810   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00811   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00812   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00813   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00814   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00815   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00816   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00817   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00818   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00819   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00820   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00821   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00822   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00823   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00824   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00825   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00826   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00827   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00828   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 1, 4096, 4, ... 3604480, 4096, ) == 0x0
 00829   896   NtQueryVirtualMemory  (-1, 0x370000, Basic, 28, ... {BaseAddress=0x370000,AllocationBase=0x370000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00830   896   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 00831   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 80, ) }, ... 80, ) == 0x0
 00832   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 84, ) }, ... 84, ) == 0x0
 00833   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 88, ) }, ... 88, ) == 0x0
 00834   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00835   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00836   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 96, {status=0x0, info=0}, ) }, 7, 16, ... 96, {status=0x0, info=0}, ) == 0x0
 00837   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22o[\254'`S\301\33=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00838   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00839   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00840   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00841   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00842   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00843   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00844   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00845   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 00846   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "4+\242.<\245R\2235\210\26\211M\231{\316\335\266\321\232\376\202G\16\362{\332\2\370\3678\22\375\353\254\360L>\177\276A\275(\354\267\357\326\276\373\26\221\352\265\374\206\341\6@\312\344\206,\342\257\376\324\225\261\263\247\5\227\27b#\210\360tc\347", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "4+\242.<\245R\2235\210\26\211M\231{\316\335\266\321\232\376\202G\16\362{\332\2\370\3678\22\375\353\254\360L>\177\276A\275(\354\267\357\326\276\373\26\221\352\265\374\206\341\6@\312\344\206,\342\257\376\324\225\261\263\247\5\227\27b#\210\360tc\347", 80, ... ) , 80, ... ) == 0x0
 00847   896   NtClose  (-2147482756, ... ) == 0x0
 00837   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "G\332e\240\2174\250\324\226\310\330\2461\201\221$\313\10\275G\346\256\14\2240\271\27Y\12F\273\270\6\271s\3125\247\306\23\362\355\4\354\313|\364D\201y\327\347\260O\356\333\15ik\222I\3418\262\31W5\32\300\270u\214\263\312\266\206K\230\27\300 \237W^\255=)'/\2579S\234\210\273\12e\202-\220\340."\207`/\311y\313\321\367\31\205\33\4\245\325\201T\372\12o\361\222\305\203AL\374bO\333!(\206\243\242c?%_\372\35\327\246 HE\275A\300o\325\323\313\177\245\361\275."\356\m\21\265F\322VOry\3339(\335\272\372\272\300\377\317,40\313\17#z&y.\301\305n\325ZZ[\304p\227oB\275\221\232\5\34\177I\255R_\3748='\3\275\211@\357A\325{\271Q\304\205\243\313\276\211\12\205\374l\353:\215\246H\31\333\362\243\343\372\260lfm\304\240", ) \207`/\311y\313\321\367\31\205\33\4\245\325\201T\372\12o\361\222\305\203AL\374bO\333!(\206\243\242c?%_\372\35\327\246 HE\275A\300o\325\323\313\177\245\361\275. ... {status=0x0, info=256}, "G\332e\240\2174\250\324\226\310\330\2461\201\221$\313\10\275G\346\256\14\2240\271\27Y\12F\273\270\6\271s\3125\247\306\23\362\355\4\354\313|\364D\201y\327\347\260O\356\333\15ik\222I\3418\262\31W5\32\300\270u\214\263\312\266\206K\230\27\300 \237W^\255=)'/\2579S\234\210\273\12e\202-\220\340."\207`/\311y\313\321\367\31\205\33\4\245\325\201T\372\12o\361\222\305\203AL\374bO\333!(\206\243\242c?%_\372\35\327\246 HE\275A\300o\325\323\313\177\245\361\275."\356\m\21\265F\322VOry\3339(\335\272\372\272\300\377\317,40\313\17#z&y.\301\305n\325ZZ[\304p\227oB\275\221\232\5\34\177I\255R_\3748='\3\275\211@\357A\325{\271Q\304\205\243\313\276\211\12\205\374l\353:\215\246H\31\333\362\243\343\372\260lfm\304\240", ) , ) == 0x0
 00848   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00849   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00850   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 100, ) }, ... 100, ) == 0x0
 00851   896   NtQueryValueKey  (100,  (100, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00852   896   NtClose  (100, ... ) == 0x0
 00853   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 100, ) }, ... 100, ) == 0x0
 00854   896   NtQueryValueKey  (100,  (100, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   896   NtClose  (100, ... ) == 0x0
 00856   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00857   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00858   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00859   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00860   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 100, ) }, ... 100, ) == 0x0
 00861   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   896   NtClose  (100, ... ) == 0x0
 00865   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 100, ) }, ... 100, ) == 0x0
 00866   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   896   NtQueryValueKey  (100,  (100, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   896   NtClose  (100, ... ) == 0x0
 00869   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 100, ) }, ... 100, ) == 0x0
 00870   896   NtOpenEvent  (0x1f0003, {24, 100, 0x0, 0, 0,  (0x1f0003, {24, 100, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   896   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00872   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   896   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   896   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   896   NtCreateSemaphore  (0x1f0003, {24, 100, 0x80, 1334456, 0,  (0x1f0003, {24, 100, 0x80, 1334456, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 104, ) }, 0, 2147483647, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 00877   896   NtQueryPerformanceCounter  (... {-1451327252, 16}, {3579545, 0}, ) == 0x0
 00878   896   NtQueryPerformanceCounter  (... {-1451326622, 16}, {3579545, 0}, ) == 0x0
 00879   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00880   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "Local\ZonesCounterMutex"}, 0, ... 108, ) }, 0, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00881   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "Local\ZonesCacheCounterMutex"}, 0, ... 112, ) }, 0, ... 112, ) == STATUS_OBJECT_NAME_EXISTS
 00882   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "Local\ZonesLockedCacheCounterMutex"}, 0, ... 116, ) }, 0, ... 116, ) == STATUS_OBJECT_NAME_EXISTS
 00883   896   NtQueryDefaultUILanguage  (1242164, ...
 00884   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00885   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 00886   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00887   896   NtClose  (-2147482756, ... ) == 0x0
 00888   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00889   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00891   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   896   NtClose  (-2147481452, ... ) == 0x0
 00893   896   NtClose  (-2147482756, ... ) == 0x0
 00883   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00894   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   896   NtRequestWaitReplyPort  (28, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020}  (28, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81838, 0}  (28, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ) == 0x0
 00897   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00898   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00900   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00901   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239488, ... ) }, 1239488, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00903   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00904   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00905   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239552, ... ) }, 1239552, ... ) == 0x0
 00906   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 120, {status=0x0, info=1}, ) }, 3, 33, ... 120, {status=0x0, info=1}, ) == 0x0
 00907   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00908   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00909   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00910   896   NtClose  (124, ... ) == 0x0
 00911   896   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 1056768, ) == 0x0
 00912   896   NtClose  (128, ... ) == 0x0
 00913   896   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00914   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00915   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 00916   896   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00917   896   NtClose  (128, ... ) == 0x0
 00918   896   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00919   896   NtClose  (124, ... ) == 0x0
 00920   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00921   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00922   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00923   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00924   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00925   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00926   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00927   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00928   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00929   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00930   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00931   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00932   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00933   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00934   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00935   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00936   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00937   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00938   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00939   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00940   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00941   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   896   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1241032, ... ) , 42, 1241032, ... ) == 0x0
 00943   896   NtQueryDefaultUILanguage  (1239716, ...
 00944   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00945   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 00946   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00947   896   NtClose  (-2147482756, ... ) == 0x0
 00948   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00949   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00951   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   896   NtClose  (-2147481452, ... ) == 0x0
 00953   896   NtClose  (-2147482756, ... ) == 0x0
 00943   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00954   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238556, ... ) }, 1238556, ... ) == 0x0
 00955   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00956   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00957   896   NtClose  (124, ... ) == 0x0
 00958   896   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 4096, ) == 0x0
 00959   896   NtClose  (128, ... ) == 0x0
 00960   896   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00961   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238152, ... ) }, 1238152, ... ) == 0x0
 00962   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238896,  (0x80100080, {24, 0, 0x40, 0, 1238896, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 00963   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 128, ... 124, ) == 0x0
 00964   896   NtClose  (128, ... ) == 0x0
 00965   896   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 4096, ) == 0x0
 00966   896   NtClose  (124, ... ) == 0x0
 00967   896   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00968   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 124, {status=0x0, info=1}, ) }, 1, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00969   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 124, ... 128, ) == 0x0
 00970   896   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x380000), 0x0, 4096, ) == 0x0
 00971   896   NtQueryInformationFile  (124, 1238548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00972   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   896   NtRequestWaitReplyPort  (28, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572}  (28, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81839, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81839, 0}  (28, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81839, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1|\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ) == 0x0
 00974   896   NtClose  (124, ... ) == 0x0
 00975   896   NtClose  (128, ... ) == 0x0
 00976   896   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00977   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00978   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00979   896   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00980   896   NtUserGetDC  (0, ... ) == 0x1010052
 00981   896   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00982   896   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00983   896   NtUserSystemParametersInfo  (66, 12, 1240548, 0, ... ) == 0x1
 00984   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00985   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00986   896   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00987   896   NtClose  (128, ... ) == 0x0
 00988   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 128, ) }, ... 128, ) == 0x0
 00989   896   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 00990   896   NtAccessCheck  (1333816, 124, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00991   896   NtClose  (124, ... ) == 0x0
 00992   896   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Control Panel\Desktop"}, ... 124, ) }, ... 124, ) == 0x0
 00993   896   NtQueryValueKey  (124,  (124, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   896   NtClose  (124, ... ) == 0x0
 00995   896   NtUserSystemParametersInfo  (41, 500, 1240576, 0, ... ) == 0x1
 00996   896   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 00997   896   NtAccessCheck  (1333816, 124, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00998   896   NtClose  (124, ... ) == 0x0
 00999   896   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 124, ) }, ... 124, ) == 0x0
 01000   896   NtQueryValueKey  (124,  (124, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   896   NtClose  (124, ... ) == 0x0
 01002   896   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01003   896   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01004   896   NtClose  (128, ... ) == 0x0
 01005   896   NtUserSystemParametersInfo  (4130, 0, 1241080, 0, ... ) == 0x1
 01006   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 128, ) }, ... 128, ) == 0x0
 01007   896   NtEnumerateValueKey  (128, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01008   896   NtClose  (128, ... ) == 0x0
 01009   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01010   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03b
 01011   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03d
 01012   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01013   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03f
 01014   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01015   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c041
 01016   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01017   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c043
 01018   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c045
 01019   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01020   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c047
 01021   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01022   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c049
 01023   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01024   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04b
 01025   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01026   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04d
 01027   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01028   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04f
 01029   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c051
 01030   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01031   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c053
 01032   896   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 01033   896   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x8177c055
 01034   896   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 01035   896   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x8177c057
 01036   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01037   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c059
 01038   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 01039   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05b
 01040   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01041   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05d
 01042   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01043   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05f
 01044   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01045   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c017
 01046   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01047   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c019
 01048   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 01049   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c018
 01050   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01051   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01a
 01052   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01053   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01c
 01054   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01055   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01e
 01056   896   NtUserFindExistingCursorIcon  (1240320, 1240336, 1240384, ... ) == 0x10011
 01057   896   NtUserRegisterClassExWOW  (1240320, 1240388, 1240404, 1240420, 0, 384, 0, ... ) == 0x8177c01b
 01058   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01059   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c068
 01060   896   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 01061   896   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c06a
 01062   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01063   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 01064   896   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01065   896   NtClose  (128, ... ) == 0x0
 01066   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 128, ) }, ... 128, ) == 0x0
 01067   896   NtSetInformationObject  (130, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01068   896   NtQueryKey  (130, Name, 384, ... {Name= (130, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01069   896   NtOpenKey  (0x2000000, {24, 130, 0x40, 0, 0,  (0x2000000, {24, 130, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 124, ) }, ... 124, ) == 0x0
 01071   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01072   896   NtQueryKey  (126, Name, 392, ... {Name= (126, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 01073   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01074   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01075   896   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01076   896   NtClose  (132, ... ) == 0x0
 01077   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01078   896   NtEnumerateKey  (126, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name= (126, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 01079   896   NtEnumerateKey  (126, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01080   896   NtClose  (126, ... ) == 0x0
 01081   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01082   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01083   896   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01084   896   NtClose  (124, ... ) == 0x0
 01085   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 124, ) }, ... 124, ) == 0x0
 01086   896   NtSetInformationObject  (124, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01087   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 132, ) }, ... 132, ) == 0x0
 01090   896   NtQueryValueKey  (132,  (132, "DisableImprovedZoneCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   896   NtClose  (132, ... ) == 0x0
 01092   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 132, ) }, ... 132, ) == 0x0
 01097   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   896   NtClose  (132, ... ) == 0x0
 01100   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   896   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   896   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 132, ) }, ... 132, ) == 0x0
 01110   896   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_OBJECT_CACHING"}, ... 136, ) }, ... 136, ) == 0x0
 01112   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   896   NtClose  (136, ... ) == 0x0
 01115   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_ZONE_ELEVATION"}, ... 136, ) }, ... 136, ) == 0x0
 01116   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   896   NtClose  (136, ... ) == 0x0
 01119   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_MIME_HANDLING"}, ... 136, ) }, ... 136, ) == 0x0
 01120   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   896   NtClose  (136, ... ) == 0x0
 01123   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_MIME_SNIFFING"}, ... 136, ) }, ... 136, ) == 0x0
 01124   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   896   NtClose  (136, ... ) == 0x0
 01127   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_WINDOW_RESTRICTIONS"}, ... 136, ) }, ... 136, ) == 0x0
 01128   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   896   NtClose  (136, ... ) == 0x0
 01131   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_WEBOC_POPUPMANAGEMENT"}, ... 136, ) }, ... 136, ) == 0x0
 01132   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   896   NtClose  (136, ... ) == 0x0
 01135   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_BEHAVIORS"}, ... 136, ) }, ... 136, ) == 0x0
 01136   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   896   NtClose  (136, ... ) == 0x0
 01139   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_MK_PROTOCOL"}, ... 136, ) }, ... 136, ) == 0x0
 01140   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01142   896   NtClose  (136, ... ) == 0x0
 01143   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_LOCALMACHINE_LOCKDOWN"}, ... 136, ) }, ... 136, ) == 0x0
 01144   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   896   NtClose  (136, ... ) == 0x0
 01147   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_SECURITYBAND"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_RESTRICT_ACTIVEXINSTALL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_VALIDATE_NAVIGATE_URL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_RESTRICT_FILEDOWNLOAD"}, ... 136, ) }, ... 136, ) == 0x0
 01151   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   896   NtClose  (136, ... ) == 0x0
 01154   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_ADDON_MANAGEMENT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_PROTOCOL_LOCKDOWN"}, ... 136, ) }, ... 136, ) == 0x0
 01156   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   896   NtClose  (136, ... ) == 0x0
 01159   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_SAFE_BINDTOOBJECT"}, ... 136, ) }, ... 136, ) == 0x0
 01161   896   NtQueryValueKey  (136,  (136, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   896   NtQueryValueKey  (136,  (136, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   896   NtClose  (136, ... ) == 0x0
 01164   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_UNC_SAVEDFILECHECK"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_GET_URL_DOM_FILEPATH_UNENCODED"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_TABBED_BROWSING"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_SSLUX"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_NAVIGATION_SOUNDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_LEGACY_COMPRESSION"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_FORCE_ADDR_AND_STATUS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_XMLHTTP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_DISABLE_TELNET_PROTOCOL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_FEEDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   896   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "FEATURE_BLOCK_INPUT_PROMPTS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   896   NtClose  (132, ... ) == 0x0
 01176   896   NtTestAlert  (... ) == 0x0
 01177   896   NtContinue  (1244464, 1, ...
 01178   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40a200,}, 4, ... ) == 0x0
 01179   896   NtCreateEvent  (0x1f0003, {24, 100, 0x80, 1245092, 0,  (0x1f0003, {24, 100, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 132, ) }, 1, 0, ... 132, ) == 0x0
 01180   896   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 136, ) }, {27086, 0}, 64, 134217728, 0, ... 136, ) == 0x0
 01181   896   NtMapViewOfSection  (136, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x380000), 0x0, 28672, ) == 0x0
 01182   896   NtOpenProcessToken  (-1, 0x20, ... 140, ) == 0x0
 01183   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01184   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 144, ) }, ... 144, ) == 0x0
 01186   896   NtQueryValueKey  (144,  (144, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   896   NtClose  (144, ... ) == 0x0
 01188   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01190   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01191   896   NtQuerySystemTime  (... {1415235414, 29929616}, ) == 0x0
 01192   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 01193   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01195   896   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01196   896   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01197   896   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01198   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01199   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 160, ) == 0x0
 01200   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 164, ) }, ... 164, ) == 0x0
 01201   896   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "ActiveComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 01202   896   NtQueryValueKey  (168,  (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (168, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01203   896   NtClose  (168, ... ) == 0x0
 01204   896   NtClose  (164, ... ) == 0x0
 01205   896   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 164, ) == 0x0
 01206   896   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 168, ) == 0x0
 01207   896   NtDuplicateObject  (-1, 164, -1, 0x0, 0, 2, ... 172, ) == 0x0
 01208   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01209   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01210   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01211   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01212   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01213   896   NtSetInformationFile  (180, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01214   896   NtSetInformationFile  (180, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01215   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01216   896   NtWriteFile  (180, 157, 0, 0,  (180, 157, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01217   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01218   896   NtReadFile  (180, 157, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (180, 157, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01219   896   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01220   896   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0Pt\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0Pt\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0Pt\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 01221   896   NtFsControlFile  (180, 157, 0x0, 0x0, 0x11c017,  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (180, 157, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01222   896   NtClose  (176, ... ) == 0x0
 01223   896   NtClose  (180, ... ) == 0x0
 01224   896   NtAdjustPrivilegesToken  (140, 0, 1245096, 0, 0, 0, ... ) == 0x0
 01225   896   NtClose  (140, ... ) == 0x0
 01226   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3801088, 65536, ) == 0x0
 01227   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01228   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 140, ) == 0x0
 01229   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 01230   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01231   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 01232   896   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0
 01233   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01234   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01235   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01236   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01237   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01238   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01239   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01240   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01241   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01242   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01243   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01244   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 180, ) == 0x0
 01245   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 176, ) }, ... 176, ) == 0x0
 01246   896   NtMapViewOfSection  (176, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 01247   896   NtClose  (176, ... ) == 0x0
 01248   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01249   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01250   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01251   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01252   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01253   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01254   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01255   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01256   896   NtAllocateVirtualMemory  (180, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 01257   896   NtAllocateVirtualMemory  (180, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 01258   896   NtProtectVirtualMemory  (180, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 01259   896   NtCreateThread  (0x1f03ff, 0x0, 180, 1243840, 1243784, 1, ... 176, {580, 376}, ) == 0x0
 01260   896   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 0, 0, 0, 0}  (28, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81840, 0}  (28, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\0\0\0D\2\0\0x\1\0\0" )  ) == 0x0
 01261   896   NtResumeThread  (176, ... 1, ) == 0x0
 01262   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 01263   896   NtClose  (180, ... ) == 0x0
 01264   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01265   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01266   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 180, ) == 0x0
 01267   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01268   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 01269   896   NtClose  (184, ... ) == 0x0
 01270   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01271   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01272   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01273   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01274   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01275   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01276   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01277   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01278   896   NtClose  (180, ... ) == 0x0
 01279   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01280   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01281   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 180, ) == 0x0
 01282   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01283   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 01284   896   NtClose  (184, ... ) == 0x0
 01285   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01286   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01287   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01288   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01289   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01290   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01291   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01292   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01293   896   NtClose  (180, ... ) == 0x0
 01294   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01295   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01296   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 180, ) == 0x0
 01297   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01298   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01299   896   NtClose  (184, ... ) == 0x0
 01300   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01301   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01302   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01303   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01304   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01305   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01306   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01307   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01308   896   NtClose  (180, ... ) == 0x0
 01309   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01310   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01311   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 180, ) == 0x0
 01312   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01313   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01314   896   NtClose  (184, ... ) == 0x0
 01315   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01316   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01317   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01318   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01319   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01320   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01321   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01322   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01323   896   NtClose  (180, ... ) == 0x0
 01324   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01325   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01326   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 180, ) == 0x0
 01327   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01328   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 01329   896   NtClose  (184, ... ) == 0x0
 01330   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01331   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01332   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01333   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01334   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01335   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01336   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01337   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01338   896   NtClose  (180, ... ) == 0x0
 01339   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01340   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01341   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 180, ) == 0x0
 01342   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01343   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01344   896   NtClose  (184, ... ) == 0x0
 01345   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01346   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01347   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01348   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01349   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01350   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01351   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01352   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01353   896   NtClose  (180, ... ) == 0x0
 01354   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01355   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01356   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 180, ) == 0x0
 01357   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01358   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01359   896   NtClose  (184, ... ) == 0x0
 01360   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01361   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01362   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01363   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01364   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01365   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01366   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01367   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01368   896   NtClose  (180, ... ) == 0x0
 01369   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01370   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01371   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 180, ) == 0x0
 01372   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01373   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01374   896   NtClose  (184, ... ) == 0x0
 01375   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01376   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01377   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01378   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01379   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01380   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01381   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01382   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01383   896   NtClose  (180, ... ) == 0x0
 01384   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01385   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01386   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 180, ) == 0x0
 01387   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01388   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01389   896   NtClose  (184, ... ) == 0x0
 01390   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01391   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01392   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01393   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01394   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01395   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01396   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01397   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01398   896   NtClose  (180, ... ) == 0x0
 01399   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01400   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01401   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 180, ) == 0x0
 01402   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01403   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01404   896   NtClose  (184, ... ) == 0x0
 01405   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01406   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01407   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01408   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01409   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01410   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01411   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01412   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01413   896   NtClose  (180, ... ) == 0x0
 01414   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01415   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01416   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 180, ) == 0x0
 01417   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01418   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01419   896   NtClose  (184, ... ) == 0x0
 01420   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01421   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01422   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01423   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01424   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01425   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01426   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01427   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01428   896   NtClose  (180, ... ) == 0x0
 01429   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01430   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01431   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 180, ) == 0x0
 01432   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01433   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01434   896   NtClose  (184, ... ) == 0x0
 01435   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01436   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01437   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01438   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01439   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01440   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01441   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01442   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01443   896   NtClose  (180, ... ) == 0x0
 01444   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01445   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01446   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 180, ) == 0x0
 01447   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01448   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01449   896   NtClose  (184, ... ) == 0x0
 01450   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01451   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01452   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01453   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01454   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01455   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01456   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01457   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01458   896   NtClose  (180, ... ) == 0x0
 01459   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01460   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01461   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 180, ) == 0x0
 01462   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01463   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01464   896   NtClose  (184, ... ) == 0x0
 01465   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01466   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01467   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01468   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01469   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01470   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01471   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01472   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01473   896   NtClose  (180, ... ) == 0x0
 01474   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01475   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01476   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 180, ) == 0x0
 01477   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01478   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01479   896   NtClose  (184, ... ) == 0x0
 01480   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01481   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01482   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01483   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01484   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01485   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01486   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01487   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01488   896   NtClose  (180, ... ) == 0x0
 01489   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01490   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01491   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 180, ) == 0x0
 01492   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01493   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01494   896   NtClose  (184, ... ) == 0x0
 01495   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01496   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01497   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01498   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01499   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01500   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01501   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01502   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01503   896   NtClose  (180, ... ) == 0x0
 01504   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01505   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01506   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 180, ) == 0x0
 01507   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01508   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01509   896   NtClose  (184, ... ) == 0x0
 01510   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01511   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01512   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01513   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01514   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01515   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01516   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01517   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01518   896   NtClose  (180, ... ) == 0x0
 01519   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01520   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01521   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 180, ) == 0x0
 01522   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01523   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01524   896   NtClose  (184, ... ) == 0x0
 01525   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01526   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01527   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01528   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01529   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01530   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01531   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01532   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01533   896   NtClose  (180, ... ) == 0x0
 01534   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01535   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01536   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 180, ) == 0x0
 01537   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01538   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01539   896   NtClose  (184, ... ) == 0x0
 01540   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01541   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01542   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01543   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01544   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01545   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01546   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01547   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01548   896   NtClose  (180, ... ) == 0x0
 01549   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01550   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01551   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 180, ) == 0x0
 01552   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01553   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01554   896   NtClose  (184, ... ) == 0x0
 01555   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01556   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01557   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01558   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01559   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01560   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01561   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01562   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01563   896   NtClose  (180, ... ) == 0x0
 01564   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01565   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01566   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 180, ) == 0x0
 01567   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01568   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01569   896   NtClose  (184, ... ) == 0x0
 01570   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01571   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01572   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01573   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01574   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01575   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01576   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01577   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01578   896   NtClose  (180, ... ) == 0x0
 01579   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01580   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01581   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 180, ) == 0x0
 01582   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01583   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01584   896   NtClose  (184, ... ) == 0x0
 01585   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01586   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01587   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01588   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01589   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01590   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01591   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01592   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01593   896   NtClose  (180, ... ) == 0x0
 01594   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01595   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01596   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 180, ) == 0x0
 01597   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01598   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01599   896   NtClose  (184, ... ) == 0x0
 01600   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01601   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01602   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01603   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01604   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01605   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01606   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01607   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01608   896   NtClose  (180, ... ) == 0x0
 01609   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01610   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01611   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 180, ) == 0x0
 01612   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01613   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01614   896   NtClose  (184, ... ) == 0x0
 01615   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01616   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01617   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01618   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01619   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01620   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01621   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01622   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01623   896   NtClose  (180, ... ) == 0x0
 01624   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01625   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01626   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 180, ) == 0x0
 01627   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01628   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01629   896   NtClose  (184, ... ) == 0x0
 01630   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01631   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01632   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01633   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01634   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01635   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01636   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01637   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01638   896   NtClose  (180, ... ) == 0x0
 01639   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01640   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01641   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 180, ) == 0x0
 01642   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01643   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01644   896   NtClose  (184, ... ) == 0x0
 01645   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01646   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01647   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01648   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01649   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01650   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01651   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01652   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01653   896   NtClose  (180, ... ) == 0x0
 01654   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01655   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01656   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {808, 0}, ... 180, ) == 0x0
 01657   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01658   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01659   896   NtClose  (184, ... ) == 0x0
 01660   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01661   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01662   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01663   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01664   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01665   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01666   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01667   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01668   896   NtClose  (180, ... ) == 0x0
 01669   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01670   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01671   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 180, ) == 0x0
 01672   896   NtOpenSection  (0xe, {24, 100, 0x0, 0, 0,  (0xe, {24, 100, 0x0, 0, 0, "W32_Virtu"}, ... 184, ) }, ... 184, ) == 0x0
 01673   896   NtMapViewOfSection  (184, 180, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01674   896   NtClose  (184, ... ) == 0x0
 01675   896   NtProtectVirtualMemory  (180, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01676   896   NtWriteVirtualMemory  (180, 0x7c90d682,  (180, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01677   896   NtProtectVirtualMemory  (180, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01678   896   NtWriteVirtualMemory  (180, 0x7c90dcfd,  (180, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01679   896   NtProtectVirtualMemory  (180, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01680   896   NtWriteVirtualMemory  (180, 0x7c90d754,  (180, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01681   896   NtProtectVirtualMemory  (180, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01682   896   NtWriteVirtualMemory  (180, 0x7c90d769,  (180, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01683   896   NtClose  (180, ... ) == 0x0
 01684   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01685   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01686   896   NtClose  (140, ... ) == 0x0
 01687   896   NtClose  (132, ... ) == 0x0
 01688   896   NtRequestWaitReplyPort  (28, {20, 48, new_msg, 0, 40, 3297224, -1, 3277240}  (28, {20, 48, new_msg, 0, 40, 3297224, -1, 3277240} "\0\0\0\0%\2\2\0\0\02\0\264\374\22\0\1\0<\0" ... {20, 48, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0%\2\2\0\0\0\0\0\264\374\22\0\1\0<\0" )  ... {20, 48, reply, 0, 1252, 896, 81886, 0}  (28, {20, 48, new_msg, 0, 40, 3297224, -1, 3277240} "\0\0\0\0%\2\2\0\0\02\0\264\374\22\0\1\0<\0" ... {20, 48, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0%\2\2\0\0\0\0\0\264\374\22\0\1\0<\0" )  ) == 0x0
 01689   896   NtClose  (36, ... ) == 0x0
 01690   896   NtCreateMutant  (0x1f0001, {24, 100, 0x80, 0, 0,  (0x1f0001, {24, 100, 0x80, 0, 0, "RpcPatch_Mutex"}, 0, ... 36, ) }, 0, ... 36, ) == 0x0
 01691   896   NtOpenEvent  (0x100000, {24, 100, 0x0, 0, 0,  (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 132, ) }, ... 132, ) == 0x0
 01692   896   NtWaitForSingleObject  (132, 0, {-1800000000, -1}, ... ) == 0x0
 01693   896   NtClose  (132, ... ) == 0x0
 01694   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\335Zd\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01695   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01696   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01697   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01698   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01699   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01700   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01701   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01702   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01703   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "]2=\200&\263\25\371-\3\206\323\22|b\206C\343\340\252\204\6\246f0\305\307\264\352\360\214%U`g\315\221\11\352\247\223F\376*O\376L}SEpU^\24\322\332z\363\307\203H\12\223Jp0\322Q\257H\224\353>U\207\330\232\207\315", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "]2=\200&\263\25\371-\3\206\323\22|b\206C\343\340\252\204\6\246f0\305\307\264\352\360\214%U`g\315\221\11\352\247\223F\376*O\376L}SEpU^\24\322\332z\363\307\203H\12\223Jp0\322Q\257H\224\353>U\207\330\232\207\315", 80, ... ) , 80, ... ) == 0x0
 01704   896   NtClose  (-2147482756, ... ) == 0x0
 01694   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\223\235\341\\210wM\265\36\226&\265+\351t}\257wm>\33713!+\266\246Y\226W\23H\33oib\2551\327H\313\271\3432$J|Ky\245\340\17\351\354\355D\306\323<7e\202_.d\325=\230T!I\37\221\10O\250\202\262\36b\274\34~\360, ) , ) == 0x0
 01705   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\237\317\333bj\22R\226\333d\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01706   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01707   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01708   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01709   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01710   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01711   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01712   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01713   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01714   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\250[t2S\220\275\204\360)\3\222\215\203\240r\34\330%\205\32\255Z\321i\272\367\367\374\275X\354\264i\364\20\247:}8\343j\2018\213\22\364\304\252\265\17`a\230:<1`F#\327\223\260c\225u\2-\227\221\376k\321\357\212Uz=\7\253", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\250[t2S\220\275\204\360)\3\222\215\203\240r\34\330%\205\32\255Z\321i\272\367\367\374\275X\354\264i\364\20\247:}8\343j\2018\213\22\364\304\252\265\17`a\230:<1`F#\327\223\260c\225u\2-\227\221\376k\321\357\212Uz=\7\253", 80, ... ) , 80, ... ) == 0x0
 01715   896   NtClose  (-2147482756, ... ) == 0x0
 01705   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\320\265Q\4jq\320Xy\32&\32J^p\236\321+\310\203\\245\25\356\357v\240\215XB\325\205p\364\177&$\331\0Frl\204\304r\322\273\376\311M\304( \341*h&\202Z"4\323\226\7Z\263\236Uj,\224\260\215\311S\25D\335Xw\251\16\245\377\325\326)\321\23z\207$\207\203\240\365\24\315\34\363\363c\256\364>\350I\334\275\271fb4\274\5\35\376a\265\301T\263\277\372\317=\303T\327P\265\214P\341gM\201\241\10\3646Y\242\322\352\330\322\34lOy\311\275\223\235\4s\27482\224\254j:\354\20K\365\267\30~\4\213\304u\23\221\237u\253\247\221\275:4\1\247\200\205\311\26<\20\271T/\312\270%\272X_^\211X\233)[\233Ve\201C\4f\30\17F`x\374e\310rr`\34+\329\177\257\4\225\15\343rk\12 H\2029a\w{R\331\230L\377\247cou", ) 4\323\226\7Z\263\236Uj,\224\260\215\311S\25D\335Xw\251\16\245\377\325\326)\321\23z\207$\207\203\240\365\24\315\34\363\363c\256\364>\350I\334\275\271fb4\274\5\35\376a\265\301T\263\277\372\317=\303T\327P\265\214P\341gM\201\241\10\3646Y\242\322\352\330\322\34lOy\311\275\223\235\4s\27482\224\254j:\354\20K\365\267\30~\4\213\304u\23\221\237u\253\247\221\275:4\1\247\200\205\311\26<\20\271T/\312\270%\272X_^\211X\233)[\233Ve\201C\4f\30\17F`x\374e\310rr`\34+\329\177\257\4\225\15\343rk\12 H\2029a\w{R\331\230L\377\247cou", ) == 0x0
 01716   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\237\317\333bj\22R\324N\333bj\22R\226\333d\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01717   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01718   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01719   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01720   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01721   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01722   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01723   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01724   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01725   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\3\277\362\6E\211\367[]93mX\300S\272\217\251|\244M\330S\252\301\323\344\22\211\352\345\227\360\341\275\323~\21\20\226@\322},\327\3\213\262\263\246\350}m=\233Vpf\20q\257[\255<\5\257.\230\250\3461%\353\216g, 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\3\277\362\6E\211\367[]93mX\300S\272\217\251|\244M\330S\252\301\323\344\22\211\352\345\227\360\341\275\323~\21\20\226@\322},\327\3\213\262\263\246\350}m=\233Vpf\20q\257[\255<\5\257.\230\250\3461%\353\216g, 80, ... ) , 80, ... ) == 0x0
 01726   896   NtClose  (-2147482756, ... ) == 0x0
 01716   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "E\331/\271\263\320\210OJ\260\261M\353y\25170|9\343\262\32\324l\31\342\3739\31'\25J\375\177\340H]\353\361\373\253\371\354D\220\241\363/C\250\5\261O06|H\314\352[\265\261\3579N\17\325)\232\23221\27\303\10\251\2\335r\313\244\2\305\23u\276H\247\221-\246\345\257\372\2J\27\340\247?\374:\261dx\253\32d\300\3338\367\35\232\214k\222\201\343\320\214g\24\\206+\213/\311\35\213F\203[<\265o\36\325\262VGB\333\207)4\26&\245\353\335\3458.\273\367v\210;P\366\217\320`Qr\350s\365\247\227\355\357\374\246\310$),Y"\270{\202G\327\264\256{\273\1E\260TO\224\207[\366q\313E\224\246%\16?\363\320\217\360\357\3224\264F\316\304\374\311\323\205_{\247|\206f\272\374%\17\356\276fo\275\224<\360\373?\304\206\217\257\314\373T\12\5\231\337\372\242", ) \270{\202G\327\264\256{\273\1E\260TO\224\207[\366q\313E\224\246%\16?\363\320\217\360\357\3224\264F\316\304\374\311\323\205_{\247|\206f\272\374%\17\356\276fo\275\224<\360\373?\304\206\217\257\314\373T\12\5\231\337\372\242", ) == 0x0
 01727   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\237\317\333bj\22R\324N\333bj\22R\324N\333bj\22R\226\333d\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01728   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01729   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01730   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01731   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01732   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01733   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01734   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01735   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01736   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\15a>-\273\2219\361\267<\273|\244\347\330\246\204\377\323[\202,o\301\233S\305\270\321\347aP\272\320\4K\265\12\12O``\242Z\222A;\14\365d\337\235\236t\326\225\6\364G\323\357\227+\26\350on\267X\207\255\376}\206'\14\3^\346/", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\15a>-\273\2219\361\267<\273|\244\347\330\246\204\377\323[\202,o\301\233S\305\270\321\347aP\272\320\4K\265\12\12O``\242Z\222A;\14\365d\337\235\236t\326\225\6\364G\323\357\227+\26\350on\267X\207\255\376}\206'\14\3^\346/", 80, ... ) , 80, ... ) == 0x0
 01737   896   NtClose  (-2147482756, ... ) == 0x0
 01727   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "2V\341\320\206\263\17,\304y\13\371\235\3261\354\353\214v\300\300\353\30\316h\347w\221(\30\37\36\237\251[\221\363\222\241\377m\13cU\226J\300V\363AK>\3$AUE\245\253u\210\317\206\265\261U\24\17\266\201\255\205Pt8\350\264\222j\232\361\324\14h\201\250`\361T\13\245Q\364\371n\321Vx\1\276\250 E\177$ v\262\352\2715(~Q\351~c\276i\224\301Z\277\347\2t\220\26k\372"\377\355x\233\23\2101\225(~W\213\370\233y\355\356Ps\223\255S\37\33\263v\255q\317\255\231p\301ax\200\266\200\221\222C%5\262v\240)\324\26^(,'\375X\326\307\340*B\6\254\3476\304\317\357;R%\232\315\260!\233A\316\336\237\3179\201\356g\13\261D\351\32/\322\34\275\346D\22(\207xQ\0eI\204\306{\361\324\233\27\253\36\364q\200\354\323\33$\321\241\4\306\214[", ) \377\355x\233\23\2101\225(~W\213\370\233y\355\356Ps\223\255S\37\33\263v\255q\317\255\231p\301ax\200\266\200\221\222C%5\262v\240)\324\26^(,'\375X\326\307\340*B\6\254\3476\304\317\357;R%\232\315\260!\233A\316\336\237\3179\201\356g\13\261D\351\32/\322\34\275\346D\22(\207xQ\0eI\204\306{\361\324\233\27\253\36\364q\200\354\323\33$\321\241\4\306\214[", ) == 0x0
 01738   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\237\317\333bj\22R\324N\333bj\22R\324N\333bj\22R\324N\333bj\22R\226\333d\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01739   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01740   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01741   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01742   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01743   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01744   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01745   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01746   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01747   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\6rt\3458O\364\7\201\217\357\324P\275\242\234\273\346\302T4\305\271X|\2q|\260\224\200\310\373\311\14\17G\207\256(\230\5\374Y\376J\320\350V\245\241v\320\240#*8}\25\371\4\20\244\20&\335\21\330\363l]\335\177!\262\316\273\364t\2", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\6rt\3458O\364\7\201\217\357\324P\275\242\234\273\346\302T4\305\271X|\2q|\260\224\200\310\373\311\14\17G\207\256(\230\5\374Y\376J\320\350V\245\241v\320\240#*8}\25\371\4\20\244\20&\335\21\330\363l]\335\177!\262\316\273\364t\2", 80, ... ) , 80, ... ) == 0x0
 01748   896   NtClose  (-2147482756, ... ) == 0x0
 01738   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\25\331\370H\341\224\242\244^Q\214\334mh\247u\3;\13\6\253\313B\220\14\3k\263\334\216\343\245\3r\36z$\362\23\220\260\360\302\355S\37\3175\277\307\3712\253f02-\234\221G]\270Y\254\272\214\34\304\241\37\161%\205] \251\344\2767\3263\277hH\373\353>\361w\332p\262\24{\15\343v\12Y\367\14\204\242\245)B\331\262\227EM\25\243\23\310V\300\364\266f\207O/\374!\340\207\4\254\352\343\327\1\242!5,Q\351\363\371\275j\250\221\255\16\211(\337\31P\224\275M\301\2123\330\224q\266\367\232X\2\316\327<\253\221\210\264\251\36\323\331&\36~\270\330Ev\1 \6\301\316\10\210\223\311\274c\3757\343VzM", ) \205] \251\344\2767\3263\277hH\373\353>\361w\332p\262\24{\15\343v\12Y\367\14\204\242\245)B\331\262\227EM\25\243\23\310V\300\364\266f\207O/\374!\340\207\4\254\352\343\327\1\242!5,Q\351\363\371\275j\250\221\255\16\211(\337\31P\224\275M\301\2123\330\224q\266\367\232X\2\316\327<\253\221\210\264\251\36\323\331&\36~\270\330Ev\1 \6\301\316\10\210\223\311\274c\3757\343VzM", ) == 0x0
 01749   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\237\317\333bj\22R\324N\333bj\22R\324N\333bj\22R\324N\333bj\22R\324N\333bj\22R\226\333d\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01750   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01751   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01752   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01753   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01754   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01755   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01756   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01757   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01758   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\316J\277S\247@x\324\270\231A\31?{\210b\3723o_\334*\3\7\254\332*\301\224:\270\307\316<\311\324\300\364g\363\240k\20>/\346\303\21h$\222\262\251N\355\37\5\232\264\377(\236\224\253)\364\314F)\250$\316T6o\221\215\1\244\32", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\316J\277S\247@x\324\270\231A\31?{\210b\3723o_\334*\3\7\254\332*\301\224:\270\307\316<\311\324\300\364g\363\240k\20>/\346\303\21h$\222\262\251N\355\37\5\232\264\377(\236\224\253)\364\314F)\250$\316T6o\221\215\1\244\32", 80, ... ) , 80, ... ) == 0x0
 01759   896   NtClose  (-2147482756, ... ) == 0x0
 01749   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "1\261\377\317\260\326\204\244k>\2658]m \274jp\254Su\36\270\353\4\32_O\261\310\6RA\325\33Hw4\211"\346\355f/\345=\207 \232\11\267\206m\316\333\230L\321\207\11l\364n\203,R\265K\310\215\310\206\335M9\\230\357O\31\312\230\257\267#\273\311\232\274\275\300\257>\3068\204\36\32\301,\206\301@\372v\204\251\261\361cu\207|5T\277\255mh\310\31222MK\272\175$\330\255\333\366\326\361\265\177R\307\276\23\267\226\227P\361a\314`;\364\227\266\34\326\7Z\373\337\310\356\316.\02\205\5\6\246\213AEX\226]\200\17r\177\214e\333\216\205\352\315\2222\276C\235\346G\242VH\26\227V\7\240\360f\261\310\354Z\12G\351gP(Z\270\257\10\25\216#J\36\353\34\362\12\205\324_\242}\267\271\6\356\1\3408\311v\236\372x\304\255\2.\206\2077\203s3\272\353W", ) \346\355f/\345=\207 \232\11\267\206m\316\333\230L\321\207\11l\364n\203,R\265K\310\215\310\206\335M9\\230\357O\31\312\230\257\267#\273\311\232\274\275\300\257>\3068\204\36\32\301,\206\301@\372v\204\251\261\361cu\207|5T\277\255mh\310\31222MK\272\175$\330\255\333\366\326\361\265\177R\307\276\23\267\226\227P\361a\314`;\364\227\266\34\326\7Z\373\337\310\356\316.\02\205\5\6\246\213AEX\226]\200\17r\177\214e\333\216\205\352\315\2222\276C\235\346G\242VH\26\227V\7\240\360f\261\310\354Z\12G\351gP(Z\270\257\10\25\216#J\36\353\34\362\12\205\324_\242}\267\271\6\356\1\3408\311v\236\372x\304\255\2.\206\2077\203s3\272\353W", ) == 0x0
 01760   896   NtDeviceIoControlFile  (96, 0, 0x0, 0x0, 0x390008,  (96, 0, 0x0, 0x0, 0x390008, "Z\205\35\11!,\22-\316\23\375\303\346\272\237\317\333bj\22R\324N\333bj\22R\324N\333bj\22R\324N\333bj\22R\324N\333bj\22R\324N\333bj\22R\226\333d\270\311\247)P\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01761   896   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01762   896   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01763   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01764   896   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01765   896   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01766   896   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01767   896   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01768   896   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0
 01769   896   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\244\17\334\336$\244\7\10\14p\245\6M6\36\276]\240\352=Y\236m\324\352\363u\253\230\364\265\340\330FG\262\325\262g\315fID\240\303\351\335\7\21t\233\35\273#\375\267i\275\240g\35\35\33-\311\224\360I)}e}\362*\373i\270\304\203\322", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\244\17\334\336$\244\7\10\14p\245\6M6\36\276]\240\352=Y\236m\324\352\363u\253\230\364\265\340\330FG\262\325\262g\315fID\240\303\351\335\7\21t\233\35\273#\375\267i\275\240g\35\35\33-\311\224\360I)}e}\362*\373i\270\304\203\322", 80, ... ) , 80, ... ) == 0x0
 01770   896   NtClose  (-2147482756, ... ) == 0x0
 01760   896   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\226\344\212\177z(\357\335\266\317LU\262U\244\345 \250\20\276\3\235\344\37\244z(;\226\232\346\24`\3\362\303\242\343\25\240\3\207\360\\256\324\225\250\341R[\377\222\356\335\242T\274\212qq\247\31\367\333J}8p\357\312\3\347\30m(X\24z\253\213j!\373\242\362CHD[\352\327P\263\237n\32J\10\313;\30\323\251\243\200?\250m6)`\26A\322\335P\25 \1\1\272\26l\201\372\371\252TX\270\306\313\223\201N0\32\234\347\274g\353J\256G1r8\36\244k{\331\200\243\223;\311\360\222\255\337u\20^%\307\241~g\33\276\16\16\273\13\355\353\331V\257\24\7\237zt\210\376\2042\334\354\366h\246\223w\234i\314\375\213\13/\255\243T\375\303!`\215\226\240\2\264Q))\326\216\246", ) , ) == 0x0
 01771   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01772   896   NtConnectPort  ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1243284, 188, ... 140, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1243284, 188, ... 140, 0x0, 0x0, 0x0, 188, ) == 0x0
 01773   896   NtRequestWaitReplyPort  (140, {200, 224, new_msg, 0, 1340496, 12, 2, 1310977}  (140, {200, 224, new_msg, 0, 1340496, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\30\226\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\314\312&\233\353\4.\354x\211\24\0ZwQ\353\12\0\0\0\0\0\0\0x\211\24\0(\0\0\0\200\211\24\0\371\250h\207\240\1\24\0(\0\0\0)\234\0\0\0\0\24\0\360\366\22\0\23\1\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81888, 0} "\7\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\314\312&\233\353\4.\354x\211\24\0ZwQ\353\12\0\0\0\0\0\0\0x\211\24\0(\0\0\0\200\211\24\0\371\250h\207\240\1\24\0(\0\0\0)\234\0\0\0\0\24\0\360\366\22\0\23\1\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 896, 81888, 0}  (140, {200, 224, new_msg, 0, 1340496, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\30\226\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\314\312&\233\353\4.\354x\211\24\0ZwQ\353\12\0\0\0\0\0\0\0x\211\24\0(\0\0\0\200\211\24\0\371\250h\207\240\1\24\0(\0\0\0)\234\0\0\0\0\24\0\360\366\22\0\23\1\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81888, 0} "\7\0\0\0\274\0\0\0\44\24\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\314\312&\233\353\4.\354x\211\24\0ZwQ\353\12\0\0\0\0\0\0\0x\211\24\0(\0\0\0\200\211\24\0\371\250h\207\240\1\24\0(\0\0\0)\234\0\0\0\0\24\0\360\366\22\0\23\1\0\0\0\0\0\0X[\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\24\367\22\0\372\31\221|\250\376\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01774   896   NtRequestWaitReplyPort  (140, {48, 72, new_msg, 0, 44, 3, 20, 0}  (140, {48, 72, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\33\0gS\263F\252\227\2L\355h\28 \0"\0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0" ... {96, 120, reply, 0, 1252, 896, 81889, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) \0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0 (140, {48, 72, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\33\0gS\263F\252\227\2L\355h\28 \0"\0\377\377\377\377\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200D\0e\0" ... {96, 120, reply, 0, 1252, 896, 81889, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) \2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ) == 0x0
 01775   896   NtRequestWaitReplyPort  (140, {100, 124, new_msg, 0, 1252, 896, 81889, 0}  (140, {100, 124, new_msg, 0, 1252, 896, 81889, 0} "\1\356\0\0A\2\34\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\11\0\0\0\0\0\0\0\11\0\0\0RpcPatch\0\0\0\0\377\1\17\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81890, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81890, 0}  (140, {100, 124, new_msg, 0, 1252, 896, 81889, 0} "\1\356\0\0A\2\34\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\31/\\7\271\346)E\242\237T\31D\323\36r\11\0\0\0\0\0\0\0\11\0\0\0RpcPatch\0\0\0\0\377\1\17\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81890, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\4\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01776   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\system32\dllcache\tftpd.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 3, 1, 2097252, 0, 0, ... ) }, 0x0, 0, 3, 1, 2097252, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01781   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 1, 1, 100, 0, 0, ... ) }, 0x0, 0, 1, 1, 100, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01782   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\C:\WINDOWS\SYSTEM32\DLLCACHE\TFTPD.EXE"}, 0x0, 0, 3, 1, 100, 0, 0, ... ) }, 0x0, 0, 3, 1, 100, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   896   NtOpenEvent  (0x100000, {24, 100, 0x0, 0, 0,  (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 180, ) }, ... 180, ) == 0x0
 01785   896   NtWaitForSingleObject  (180, 0, {-1800000000, -1}, ... ) == 0x0
 01786   896   NtClose  (180, ... ) == 0x0
 01787   896   NtRequestWaitReplyPort  (140, {48, 72, new_msg, 0, 1252, 896, 81890, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81890, 0} "\1+\0\0A\2\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81891, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81891, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81890, 0} "\1+\0\0A\2\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81891, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 01788   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81891, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81891, 0} "\1\0\0\0B\2\30\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\1\0\0\0\340\233\24\0\370\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81892, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201\0\0\0\0\360\376?\300\0\0\0\0d\206\254\201\0\0\20\0\377\27\0\0\354Sn\201" )  ... {124, 148, reply, 0, 1252, 896, 81892, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81891, 0} "\1\0\0\0B\2\30\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\1\0\0\0\340\233\24\0\370\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81892, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201\0\0\0\0\360\376?\300\0\0\0\0d\206\254\201\0\0\20\0\377\27\0\0\354Sn\201" )  ) == 0x0
 01789   896   NtRequestWaitReplyPort  (140, {96, 120, new_msg, 0, 1252, 896, 81892, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81892, 0} "\1\356\0\0A\2\34\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\6\0\0\0\0\0\0\0\6\0\0\0MSDTC\0`\371\377\1\17\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ... {96, 120, reply, 0, 1252, 896, 81893, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81893, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81892, 0} "\1\356\0\0A\2\34\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\6\0\0\0\0\0\0\0\6\0\0\0MSDTC\0`\371\377\1\17\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ... {96, 120, reply, 0, 1252, 896, 81893, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01790   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01791   896   NtRequestWaitReplyPort  (140, {84, 108, new_msg, 0, 1252, 896, 81893, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81893, 0} "\1+\0\0A\2&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81894, 0} "\2\0\370\0\4\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201(\4\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81894, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81893, 0} "\1+\0\0A\2&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81894, 0} "\2\0\370\0\4\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201(\4\0\0x~\15\0" )  ) == 0x0
 01792   896   NtRequestWaitReplyPort  (140, {64, 88, new_msg, 56, 1350960, 1242952, 1243052, 0}  (140, {64, 88, new_msg, 56, 1350960, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0P\242\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81895, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0P\242\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ... {64, 88, reply, 56, 1252, 896, 81895, 0}  (140, {64, 88, new_msg, 56, 1350960, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0P\242\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81895, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0P\242\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01793   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81894, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81894, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81896, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81896, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81894, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0x\32\303\216yS\204G\225b~C.'\276\316\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81896, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01794   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81896, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81896, 0} "\1+\0\0B\2$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0P\242\24\0O\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81897, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81897, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81896, 0} "\1+\0\0B\2$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0P\242\24\0O\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81897, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0x~\15\0" )  ) == 0x0
 01795   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81898, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81898, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81897, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\03]d=\263\216,F\261P\34\351\263\227R~\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81898, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01796   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81898, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81898, 0} "\1\356\0\0A\2\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81899, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81899, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81898, 0} "\1\356\0\0A\2\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0L\317\255)z\4\255L\271t\2429&Dg\11\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81899, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01797   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1243000, ... ) }, 1243000, ... ) == 0x0
 01798   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 180, {status=0x0, info=1}, ) }, 7, 2113568, ... 180, {status=0x0, info=1}, ) == 0x0
 01799   896   NtSetInformationFile  (180, 1242976, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01800   896   NtClose  (180, ... ) == 0x0
 01801   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243248,  (0x80100080, {24, 0, 0x40, 0, 1243248, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 180, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 180, {status=0x0, info=1}, ) == 0x0
 01802   896   NtQueryInformationFile  (180, 1243684, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01803   896   NtQueryInformationFile  (180, 1243600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01804   896   NtQueryInformationFile  (180, 1243416, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01805   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 01806   896   NtQueryInformationFile  (180, 1352616, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01807   896   NtQueryInformationFile  (180, 1241864, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01808   896   NtQueryInformationFile  (180, 1242140, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01809   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\WINS\DLLHOST.EXE"}, 1241336, ... ) }, 1241336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242016,  (0x40110080, {24, 0, 0x40, 0, 1242016, "\??\C:\WINDOWS\system32\wins\DLLHOST.EXE"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01811   896   NtClose  (-2147481484, ... ) == 0x0
 01810   896   NtCreateFile  ... 184, {status=0x0, info=2}, ) == 0x0
 01812   896   NtQueryVolumeInformationFile  (184, 1242168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01813   896   NtQueryInformationFile  (184, 1241752, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01814   896   NtQueryVolumeInformationFile  (180, 1242168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01815   896   NtSetInformationFile  (184, 1242068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01816   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 180, ... 188, ) == 0x0
 01817   896   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 01818   896   NtClose  (188, ... ) == 0x0
 01819   896   NtWriteFile  (184, 0, 0, 0,  (184, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0Y\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0V^%\35\22?KN\22?KN\22?KNK\34XN\20?KN\2217\26N\30?KNi#GN\23?KN} AN\31?KN\221#EN\23?KN} ON\21?KN\22?JNv?KN\24\34@N\20?KNRich\22?KN\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\10 \10\232\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0`\0\0\0\242\0\0\0p\0\0\0\240\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\3\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\240\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0", 19968, 0x0, 0, ... {status=0x0, info=19968}, ) , 19968, 0x0, 0, ... {status=0x0, info=19968}, ) == 0x0
 01820   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01821   896   NtSetInformationFile  (184, 1243416, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01822   896   NtClose  (180, ... ) == 0x0
 01823   896   NtClose  (184, ... ) == 0x0
 01824   896   NtOpenEvent  (0x100000, {24, 100, 0x0, 0, 0,  (0x100000, {24, 100, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 184, ) }, ... 184, ) == 0x0
 01825   896   NtWaitForSingleObject  (184, 0, {-1800000000, -1}, ... ) == 0x0
 01826   896   NtClose  (184, ... ) == 0x0
 01827   896   NtRequestWaitReplyPort  (140, {48, 72, new_msg, 0, 1252, 896, 81899, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81899, 0} "\1+\0\0A\2\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81900, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81900, 0}  (140, {48, 72, new_msg, 0, 1252, 896, 81899, 0} "\1+\0\0A\2\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\0\0\0\0?\0\17\0\0\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81900, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\0\0\0z\0\0\0\1\0\0\0\0\00\0\5\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 01828   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81900, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81900, 0} "\1\0\0\0B\2\30\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\1\0\0\0\310\232\24\0\350\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81901, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201\0\0\0\0\360\376?\300\0\0\0\0d\206\254\201\0\0\20\0\377\27\0\0\354Sn\201" )  ... {124, 148, reply, 0, 1252, 896, 81901, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81900, 0} "\1\0\0\0B\2\30\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\1\0\0\0\310\232\24\0\350\0\0\0" ... {124, 148, reply, 0, 1252, 896, 81901, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201\0\0\0\0\360\376?\300\0\0\0\0d\206\254\201\0\0\20\0\377\27\0\0\354Sn\201" )  ) == 0x0
 01829   896   NtRequestWaitReplyPort  (140, {96, 120, new_msg, 0, 1252, 896, 81901, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81901, 0} "\1\356\0\0A\2\34\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\10\0\0\0\0\0\0\0\10\0\0\0Browser\0\377\1\17\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ... {96, 120, reply, 0, 1252, 896, 81902, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81902, 0}  (140, {96, 120, new_msg, 0, 1252, 896, 81901, 0} "\1\356\0\0A\2\34\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\10\0\0\0\0\0\0\0\10\0\0\0Browser\0\377\1\17\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" ... {96, 120, reply, 0, 1252, 896, 81902, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01830   896   NtRequestWaitReplyPort  (140, {84, 108, new_msg, 0, 1252, 896, 81902, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81902, 0} "\1+\0\0A\2&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81903, 0} "\2\0\370\0\4\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201(\4\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81903, 0}  (140, {84, 108, new_msg, 0, 1252, 896, 81902, 0} "\1+\0\0A\2&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81903, 0} "\2\0\370\0\4\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201(\4\0\0x~\15\0" )  ) == 0x0
 01831   896   NtRequestWaitReplyPort  (140, {64, 88, new_msg, 56, 1350960, 1242952, 1243052, 0}  (140, {64, 88, new_msg, 56, 1350960, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0\250\243\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81904, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0\250\243\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ... {64, 88, reply, 56, 1252, 896, 81904, 0}  (140, {64, 88, new_msg, 56, 1350960, 1242952, 1243052, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0\250\243\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {64, 88, reply, 56, 1252, 896, 81904, 0} "\10\367\22\0@\0\24\0\346\277\347w\254\367\22\0H\367\22\0\20\0\0\0\250\35\336w\244\235\24\0\1\0\0\0\250\243\24\0(\4\0\0(\4\0\0x~\15\0\0\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01832   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81903, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81903, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81905, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81905, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81903, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\307v\231\2503\242\376L\223\303\257\367:\34\353\313\1\0\0\0\0\4\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81905, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01833   896   NtRequestWaitReplyPort  (140, {44, 68, new_msg, 56, 1252, 896, 81905, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81905, 0} "\1+\0\0B\2$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0 \214\24\0V\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81906, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0x~\15\0" )  ... {40, 64, reply, 0, 1252, 896, 81906, 0}  (140, {44, 68, new_msg, 56, 1252, 896, 81905, 0} "\1+\0\0B\2$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\1\0\0\1\0\0\0 \214\24\0V\1\0\0" ... {40, 64, reply, 0, 1252, 896, 81906, 0} "\2\0\370\0\1\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\0\0\0\0x~\15\0" )  ) == 0x0
 01834   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81907, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ... {96, 120, reply, 0, 1252, 896, 81907, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81906, 0} "\1\0\0\0A\2\0\0<\0\370\0\226\245\335\341\264\311\275\201:\332R\200\377\377\377\377\]\222\201\0\0\0\0\227\14>{z\307\36M\236\253\23\312\345>u\322\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0" ... {96, 120, reply, 0, 1252, 896, 81907, 0} "\2\356Q\200\1\0\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300l\373`\371X\353Q\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201 Sn\201\1Sn\201" )  ) == 0x0
 01835   896   NtRequestWaitReplyPort  (140, {88, 112, new_msg, 0, 1252, 896, 81907, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81907, 0} "\1\356\0\0A\2\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81908, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ... {96, 120, reply, 0, 1252, 896, 81908, 0}  (140, {88, 112, new_msg, 0, 1252, 896, 81907, 0} "\1\356\0\0A\2\0\0\30Un\201\0\340\375\177\220\373`\371\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0I\213\375\202\222>wH\214\230[v\4\22\245c\0\0\0\0\0\0\0\0\0\0\0\0\253\362Q\200\220\373`\371\0\0\0\0\0\0\0\0\0\0\0\0\210\205\234\201" ... {96, 120, reply, 0, 1252, 896, 81908, 0} "\2+\263\341\1\0T\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254f\12\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\14\0\0\0" )  ) == 0x0
 01836   896   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01837   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01838   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01839   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01840   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 188, ) }, ... 188, ) == 0x0
 01841   896   NtQueryValueKey  (188,  (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01842   896   NtNotifyChangeKey  (188, 180, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01843   896   NtQueryValueKey  (188,  (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01844   896   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845   896   NtQueryValueKey  (188,  (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01846   896   NtQueryValueKey  (188,  (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01847   896   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "Catalog_Entries"}, ... 192, ) }, ... 192, ) == 0x0
 01848   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000001"}, ... 196, ) }, ... 196, ) == 0x0
 01849   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01850   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01851   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0<\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0<\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0=\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0<\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0<\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0=\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0<\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0<\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0=\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0=\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0>\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0?\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01852   896   NtClose  (196, ... ) == 0x0
 01853   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000002"}, ... 196, ) }, ... 196, ) == 0x0
 01854   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01855   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01856   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0A\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0A\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0B\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0A\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0A\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0B\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0A\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0A\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0B\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0C\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0D\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01857   896   NtClose  (196, ... ) == 0x0
 01858   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000003"}, ... 196, ) }, ... 196, ) == 0x0
 01859   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01860   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01861   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0F\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0F\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0G\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0G\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0I\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0F\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0F\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0G\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0G\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0I\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0I\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0F\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0F\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0G\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0G\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0H\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0I\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01862   896   NtClose  (196, ... ) == 0x0
 01863   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000004"}, ... 196, ) }, ... 196, ) == 0x0
 01864   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01865   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01866   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0K\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0K\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0L\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0K\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0K\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0L\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0K\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0K\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0L\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01867   896   NtClose  (196, ... ) == 0x0
 01868   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000005"}, ... 196, ) }, ... 196, ) == 0x0
 01869   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01870   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01871   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0P\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0P\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0Q\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0P\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0P\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0Q\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0P\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0P\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0Q\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01872   896   NtClose  (196, ... ) == 0x0
 01873   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000006"}, ... 196, ) }, ... 196, ) == 0x0
 01874   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01875   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01876   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0U\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0U\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0V\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0U\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0U\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0V\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0U\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0U\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0V\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01877   896   NtClose  (196, ... ) == 0x0
 01878   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000007"}, ... 196, ) }, ... 196, ) == 0x0
 01879   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01880   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01881   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Z\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0Z\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0[\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Z\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0Z\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0[\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0Z\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0Z\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0[\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01882   896   NtClose  (196, ... ) == 0x0
 01883   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000008"}, ... 196, ) }, ... 196, ) == 0x0
 01884   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01885   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01886   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0_\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0_\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0`\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0_\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0_\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0`\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0_\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0_\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0`\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01887   896   NtClose  (196, ... ) == 0x0
 01888   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000009"}, ... 196, ) }, ... 196, ) == 0x0
 01889   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01890   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01891   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0d\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0e\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0d\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0e\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0d\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0d\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0e\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01892   896   NtClose  (196, ... ) == 0x0
 01893   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000010"}, ... 196, ) }, ... 196, ) == 0x0
 01894   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01895   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01896   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0i\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0j\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0i\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0j\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0i\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0i\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0j\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01897   896   NtClose  (196, ... ) == 0x0
 01898   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000011"}, ... 196, ) }, ... 196, ) == 0x0
 01899   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01900   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01901   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0n\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0o\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0n\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0o\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0n\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0n\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0o\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01902   896   NtClose  (196, ... ) == 0x0
 01903   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000012"}, ... 196, ) }, ... 196, ) == 0x0
 01904   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01905   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01906   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01907   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0t\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0u\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0t\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0u\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0t\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0t\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0u\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01908   896   NtClose  (196, ... ) == 0x0
 01909   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000013"}, ... 196, ) }, ... 196, ) == 0x0
 01910   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01911   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01912   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0y\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0z\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0y\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0z\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0y\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0y\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0z\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01913   896   NtClose  (196, ... ) == 0x0
 01914   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000014"}, ... 196, ) }, ... 196, ) == 0x0
 01915   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01916   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01917   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0~\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\177\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0~\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\177\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0~\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0~\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\177\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01918   896   NtClose  (196, ... ) == 0x0
 01919   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000015"}, ... 196, ) }, ... 196, ) == 0x0
 01920   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01921   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01922   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\203\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\204\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\203\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\204\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\203\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\203\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\204\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01923   896   NtClose  (196, ... ) == 0x0
 01924   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000016"}, ... 196, ) }, ... 196, ) == 0x0
 01925   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01926   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01927   896   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01928   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\211\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\211\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\212\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\211\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\211\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\212\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\211\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\211\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\212\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01929   896   NtClose  (196, ... ) == 0x0
 01930   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000017"}, ... 196, ) }, ... 196, ) == 0x0
 01931   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01932   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01933   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\216\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\216\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\217\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\216\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\216\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\217\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\216\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\216\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\217\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01934   896   NtClose  (196, ... ) == 0x0
 01935   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000018"}, ... 196, ) }, ... 196, ) == 0x0
 01936   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01937   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01938   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\223\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\223\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\224\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\223\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\223\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\224\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\223\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\223\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\224\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\226\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01939   896   NtClose  (196, ... ) == 0x0
 01940   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000019"}, ... 196, ) }, ... 196, ) == 0x0
 01941   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01942   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01943   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\230\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\231\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\230\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\231\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\230\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\230\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\231\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\232\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\233\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01944   896   NtClose  (196, ... ) == 0x0
 01945   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000020"}, ... 196, ) }, ... 196, ) == 0x0
 01946   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01947   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01948   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\235\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\236\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\235\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\236\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\235\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\235\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\236\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01949   896   NtClose  (196, ... ) == 0x0
 01950   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000021"}, ... 196, ) }, ... 196, ) == 0x0
 01951   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01952   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01953   896   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01954   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\243\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\243\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\244\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\243\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\243\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\244\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0 (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\243\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\243\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\300\0\0\0t\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\222\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\244\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\7\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\304\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01955   896   NtClose  (196, ... ) == 0x0
 01956   896   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "000000000022"}, ... 196, ) }, ... 196, ) == 0x0
 01957   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01958   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01959   896   NtQueryValueKey  (196,  (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\250\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\250\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\251\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Pt\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (196, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\250\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\250\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\251\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Pt\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\250\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\250\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\300\0\0\0\251\7\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\264\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\252\7\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\253\7\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\300\0\0\0\254\7\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\234\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Pt\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01960   896   NtClose  (196, ... ) == 0x0
 01961   896   NtClose  (192, ... ) == 0x0
 01962   896   NtWaitForSingleObject  (180, 0, {0, 0}, ... ) == 0x102
 01963   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01964   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 196, ) }, ... 196, ) == 0x0
 01965   896   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01966   896   NtNotifyChangeKey  (196, 192, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01967   896   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01968   896   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   896   NtQueryValueKey  (196,  (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01970   896   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "Catalog_Entries"}, ... 200, ) }, ... 200, ) == 0x0
 01971   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000001"}, ... 204, ) }, ... 204, ) == 0x0
 01972   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01973   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01974   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01975   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01976   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01977   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01978   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01979   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01980   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01981   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01982   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01983   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01984   896   NtClose  (204, ... ) == 0x0
 01985   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000002"}, ... 204, ) }, ... 204, ) == 0x0
 01986   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01987   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01988   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01989   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01990   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01991   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01992   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01993   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01995   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01996   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01997   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01998   896   NtClose  (204, ... ) == 0x0
 01999   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000003"}, ... 204, ) }, ... 204, ) == 0x0
 02000   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02001   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 02002   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02003   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02004   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02005   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 02006   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 02007   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 02009   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02010   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02011   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02012   896   NtClose  (204, ... ) == 0x0
 02013   896   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000004"}, ... 204, ) }, ... 204, ) == 0x0
 02014   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02015   896   NtQueryValueKey  (204,  (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 02016   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02017   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02018   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02019   896   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 02020   896   NtQueryValueKey  (204,  (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 02021   896   NtQueryValueKey  (204,  (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (204, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 02022   896   NtQueryValueKey  (204,  (204, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023   896   NtQueryValueKey  (204,  (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02024   896   NtQueryValueKey  (204,  (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02025   896   NtQueryValueKey  (204,  (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02026   896   NtQueryValueKey  (204,  (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02027   896   NtClose  (204, ... ) == 0x0
 02028   896   NtClose  (200, ... ) == 0x0
 02029   896   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 02030   896   NtClose  (184, ... ) == 0x0
 02031   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02032   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02033   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 02034   896   NtQueryValueKey  (184,  (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035   896   NtClose  (184, ... ) == 0x0
 02036   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 02037   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3801088, 65536, ) == 0x0
 02038   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 02039   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 200, ) == 0x0
 02040   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 02041   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02042   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 20480, ) == 0x0
 02043   896   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0
 02044   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02045   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02046   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02047   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02048   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02049   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02050   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02051   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02052   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02053   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02054   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02055   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02056   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02057   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02058   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02059   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02060   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02061   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02062   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02063   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02064   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02065   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02066   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02067   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02068   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02069   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02070   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02071   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02072   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02073   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02074   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02075   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02076   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02077   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02078   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02079   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02080   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02081   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02082   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02083   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02084   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02085   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02086   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02087   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02088   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02089   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02090   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02091   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02092   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02093   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02094   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02095   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02096   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02097   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02098   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02099   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02100   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02101   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02102   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02103   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02104   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02105   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02106   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02107   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02108   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02109   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02110   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02111   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 02112   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02113   896   NtClose  (200, ... ) == 0x0
 02114   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 1244192, ... ) }, 1244192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02115   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\MSBLAST.EXE"}, 1243984, ... ) }, 1243984, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02116   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\MSBLAST.EXE"}, 1244016, ... ) }, 1244016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02118   896   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msblast.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02119   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 02120   896   NtAllocateVirtualMemory  (-1, 9437184, 0, 72104, 4096, 4, ... 9437184, 73728, ) == 0x0
 02121   896   NtDelayExecution  (0, {-1000000, -1}, ... ) == 0x0
 02122   896   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 02123   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02124   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 02125   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0
 02126   896   NtClose  (200, ... ) == 0x0
 02127   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 245760, ) == 0x0
 02128   896   NtClose  (204, ... ) == 0x0
 02129   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02130   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0
 02131   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 02132   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 02133   896   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02134   896   NtClose  (204, ... ) == 0x0
 02135   896   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 02136   896   NtClose  (200, ... ) == 0x0
 02137   896   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02138   896   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02139   896   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02140   896   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02141   896   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02142   896   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02143   896   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02144   896   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02145   896   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02146   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02148   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02149   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 02150   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   896   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 02152   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1240768, ... ) }, 1240768, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 1240768, ... ) }, 1240768, ... ) == 0x0
 02154   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 02155   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 02156   896   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02157   896   NtClose  (204, ... ) == 0x0
 02158   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 02159   896   NtClose  (208, ... ) == 0x0
 02160   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02161   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02162   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02163   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02164   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02165   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02166   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02167   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02168   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02169   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02170   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02171   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02172   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02173   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02174   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02175   896   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 02176   896   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 02177   896   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 02178   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02179   896   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 02180   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02181   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182   896   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   896   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   896   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   896   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02186   896   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   896   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02188   896   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   896   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   896   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191   896   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   896   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02193   896   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   896   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195   896   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   896   NtQueryValueKey  (204,  (204, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02197   896   NtQueryValueKey  (204,  (204, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   896   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   896   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   896   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   896   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   896   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   896   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   896   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   896   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   896   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   896   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   896   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   896   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   896   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   896   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   896   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   896   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   896   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   896   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   896   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   896   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   896   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   896   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02220   896   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   896   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   896   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   896   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   896   NtQueryValueKey  (204,  (204, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02225   896   NtQueryValueKey  (204,  (204, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02226   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02227   896   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02228   896   NtClose  (212, ... ) == 0x0
 02229   896   NtClose  (208, ... ) == 0x0
 02230   896   NtClose  (204, ... ) == 0x0
 02231   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02232   896   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   896   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   896   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   896   NtClose  (204, ... ) == 0x0
 02236   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 02237   896   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1241228, 188, ... 208, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241228, 188, ... 208, 0x0, 0x0, 0x0, 188, ) == 0x0
 02238   896   NtRequestWaitReplyPort  (208, {200, 224, new_msg, 0, 1343328, 12, 2, 1310721}  (208, {200, 224, new_msg, 0, 1343328, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\310\20\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0]_\346~\13\323\205\21\300\20\25\0h\1\24\0\12\0\0\0\0\0\0\0\300\20\25\0(\0\0\0\310\20\25\0\240/A\6x\1\24\0(\0\0\0=\27\0\0\0\0\24\0\350\356\22\0\376H\335\353\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81910, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\310\20\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0]_\346~\13\323\205\21\300\20\25\0h\1\24\0\12\0\0\0\0\0\0\0\300\20\25\0(\0\0\0\310\20\25\0\240/A\6x\1\24\0(\0\0\0=\27\0\0\0\0\24\0\350\356\22\0\376H\335\353\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 896, 81910, 0}  (208, {200, 224, new_msg, 0, 1343328, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\310\20\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0]_\346~\13\323\205\21\300\20\25\0h\1\24\0\12\0\0\0\0\0\0\0\300\20\25\0(\0\0\0\310\20\25\0\240/A\6x\1\24\0(\0\0\0=\27\0\0\0\0\24\0\350\356\22\0\376H\335\353\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81910, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\310\20\25\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0]_\346~\13\323\205\21\300\20\25\0h\1\24\0\12\0\0\0\0\0\0\0\300\20\25\0(\0\0\0\310\20\25\0\240/A\6x\1\24\0(\0\0\0=\27\0\0\0\0\24\0\350\356\22\0\376H\335\353\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\14\357\22\0\372\31\221|\240\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02239   896   NtRequestWaitReplyPort  (208, {64, 88, new_msg, 0, 0, 0, 0, 0}  (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 896, 81911, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ... {52, 76, reply, 0, 1252, 896, 81911, 0}  (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 896, 81911, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02240   896   NtClose  (204, ... ) == 0x0
 02241   896   NtClose  (208, ... ) == 0x0
 02242   896   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 02243   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02244   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   896   NtQueryValueKey  (208,  (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02246   896   NtQueryValueKey  (208,  (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02247   896   NtClose  (208, ... ) == 0x0
 02248   896   NtClose  (204, ... ) == 0x0
 02249   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 02250   896   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1241076, 188, ... 208, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241076, 188, ... 208, 0x0, 0x0, 0x0, 188, ) == 0x0
 02251   896   NtRequestWaitReplyPort  (208, {200, 224, new_msg, 0, 1343328, 12, 2, 1310721}  (208, {200, 224, new_msg, 0, 1343328, 12, 2, 1310721} "\0\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\304\261\367+\327\342&\246c\272z\266oF\1\216\12\0\0\0a!\260!\33\334\303\0\0\0\0H\16\25\0H\3623\246\312h\265L(\0\0\0!\340\0K\0\0\24\0P\356\22\0r\274w\206\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81914, 0} "\7\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\304\261\367+\327\342&\246c\272z\266oF\1\216\12\0\0\0a!\260!\33\334\303\0\0\0\0H\16\25\0H\3623\246\312h\265L(\0\0\0!\340\0K\0\0\24\0P\356\22\0r\274w\206\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 896, 81914, 0}  (208, {200, 224, new_msg, 0, 1343328, 12, 2, 1310721} "\0\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\304\261\367+\327\342&\246c\272z\266oF\1\216\12\0\0\0a!\260!\33\334\303\0\0\0\0H\16\25\0H\3623\246\312h\265L(\0\0\0!\340\0K\0\0\24\0P\356\22\0r\274w\206\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 896, 81914, 0} "\7\0\0\0\274\0\0\0D6\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\304\261\367+\327\342&\246c\272z\266oF\1\216\12\0\0\0a!\260!\33\334\303\0\0\0\0H\16\25\0H\3623\246\312h\265L(\0\0\0!\340\0K\0\0\24\0P\356\22\0r\274w\206\0\0\0\0H\3\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0t\356\22\0\372\31\221|\10\366\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02252   896   NtRequestWaitReplyPort  (208, {44, 68, new_msg, 0, 1252, 896, 81911, 0}  (208, {44, 68, new_msg, 0, 1252, 896, 81911, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81915, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" )  ... {40, 64, reply, 0, 1252, 896, 81915, 0}  (208, {44, 68, new_msg, 0, 1252, 896, 81911, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 1252, 896, 81915, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02253   896   NtRequestWaitReplyPort  (208, {64, 88, new_msg, 56, 1348600, 1241588, 1241688, 0}  (208, {64, 88, new_msg, 56, 1348600, 1241588, 1241688, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vl\224\24\0\1\0\0\0\30\22\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\16\25\0" ... {64, 88, reply, 56, 1252, 896, 81916, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vl\224\24\0\1\0\0\0\30\22\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\16\25\0" )  ... {64, 88, reply, 56, 1252, 896, 81916, 0}  (208, {64, 88, new_msg, 56, 1348600, 1241588, 1241688, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vl\224\24\0\1\0\0\0\30\22\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\16\25\0" ... {64, 88, reply, 56, 1252, 896, 81916, 0} "\10\362\22\0@\0\24\0\346\277\347wX\362\22\0\364\361\22\0\20\0\0\0\250.\362vl\224\24\0\1\0\0\0\30\22\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\310\16\25\0" )  ) == 0x0
 02254   896   NtClose  (204, ... ) == 0x0
 02255   896   NtClose  (208, ... ) == 0x0
 02256   896   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 02257   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02258   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02259   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   896   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02261   896   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02262   896   NtClose  (208, ... ) == 0x0
 02263   896   NtClose  (204, ... ) == 0x0
 02264   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 02265   896   NtQueryValueKey  (204,  (204, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   896   NtClose  (204, ... ) == 0x0
 02267   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02268   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 02269   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 208, ) == 0x0
 02270   896   NtClose  (204, ... ) == 0x0
 02271   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 20480, ) == 0x0
 02272   896   NtClose  (208, ... ) == 0x0
 02273   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02274   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0
 02275   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02276   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 02277   896   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02278   896   NtClose  (208, ... ) == 0x0
 02279   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02280   896   NtClose  (204, ... ) == 0x0
 02281   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02282   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02283   896   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02284   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02285   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02286   896   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02287   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WLDAP32.dll"}, ... 204, ) }, ... 204, ) == 0x0
 02288   896   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02289   896   NtClose  (204, ... ) == 0x0
 02290   896   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02291   896   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02292   896   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02293   896   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02294   896   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02295   896   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02296   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02297   896   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02298   896   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02299   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02300   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 02301   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 208, ) }, ... 208, ) == 0x0
 02302   896   NtQueryValueKey  (208,  (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02303   896   NtClose  (208, ... ) == 0x0
 02304   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02305   896   NtQueryPerformanceCounter  (... {-1446882133, 16}, {3579545, 0}, ) == 0x0
 02306   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02307   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02308   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 02309   896   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 02310   896   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 02311   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 1240664, ... ) }, 1240664, ... ) == 0x0
 02312   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02313   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 208, ... 212, ) == 0x0
 02314   896   NtClose  (208, ... ) == 0x0
 02315   896   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 110592, ) == 0x0
 02316   896   NtClose  (212, ... ) == 0x0
 02317   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 02318   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 1240972, ... ) }, 1240972, ... ) == 0x0
 02319   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02320   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 02321   896   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02322   896   NtClose  (212, ... ) == 0x0
 02323   896   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02324   896   NtClose  (208, ... ) == 0x0
 02325   896   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02326   896   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02327   896   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02328   896   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02329   896   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02330   896   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02331   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02332   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240148, ... ) }, 1240148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1240148, ... ) }, 1240148, ... ) == 0x0
 02334   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02335   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 02336   896   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02337   896   NtClose  (208, ... ) == 0x0
 02338   896   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02339   896   NtClose  (212, ... ) == 0x0
 02340   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02341   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02342   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02343   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02344   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02345   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02346   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02347   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02348   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02349   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02350   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02351   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02352   896   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02353   896   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02354   896   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02355   896   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02356   896   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02357   896   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02358   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02359   896   NtQueryDefaultUILanguage  (2090319928, ...
 02360   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02361   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482760, ) == 0x0
 02362   896   NtQueryInformationToken  (-2147482760, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02363   896   NtClose  (-2147482760, ... ) == 0x0
 02364   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482760, ) }, ... -2147482760, ) == 0x0
 02365   896   NtOpenKey  (0x80000000, {24, -2147482760, 0x240, 0, 0,  (0x80000000, {24, -2147482760, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   896   NtOpenKey  (0x80000000, {24, -2147482760, 0x640, 0, 0,  (0x80000000, {24, -2147482760, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482684, ) }, ... -2147482684, ) == 0x0
 02367   896   NtQueryValueKey  (-2147482684,  (-2147482684, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02368   896   NtClose  (-2147482684, ... ) == 0x0
 02369   896   NtClose  (-2147482760, ... ) == 0x0
 02359   896   NtQueryDefaultUILanguage  ... ) == 0x0
 02370   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02371   896   NtQueryDefaultLocale  (1, 1240868, ... ) == 0x0
 02372   896   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02373   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02374   896   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02375   896   NtClose  (212, ... ) == 0x0
 02376   896   NtUserGetProcessWindowStation  (... ) == 0x14
 02377   896   NtUserGetObjectInformation  (20, 1, 1240464, 12, 1240476, ... ) == 0x1
 02378   896   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02379   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\WPA\PnP"}, ... 212, ) }, ... 212, ) == 0x0
 02380   896   NtQueryValueKey  (212,  (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02381   896   NtClose  (212, ... ) == 0x0
 02382   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02383   896   NtQueryValueKey  (212,  (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02384   896   NtQueryValueKey  (212,  (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02385   896   NtClose  (212, ... ) == 0x0
 02386   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02387   896   NtQueryValueKey  (212,  (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02388   896   NtQueryValueKey  (212,  (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02389   896   NtClose  (212, ... ) == 0x0
 02390   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02391   896   NtQueryValueKey  (212,  (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02392   896   NtQueryValueKey  (212,  (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02393   896   NtClose  (212, ... ) == 0x0
 02394   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02395   896   NtQueryValueKey  (212,  (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02396   896   NtQueryValueKey  (212,  (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02397   896   NtClose  (212, ... ) == 0x0
 02398   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02399   896   NtQueryValueKey  (212,  (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02400   896   NtQueryValueKey  (212,  (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02401   896   NtClose  (212, ... ) == 0x0
 02402   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 02403   896   NtQueryValueKey  (212,  (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02404   896   NtQueryValueKey  (212,  (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02405   896   NtClose  (212, ... ) == 0x0
 02406   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 212, ) }, ... 212, ) == 0x0
 02407   896   NtQueryValueKey  (212,  (212, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02408   896   NtQueryValueKey  (212,  (212, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (212, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02409   896   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02410   896   NtClose  (212, ... ) == 0x0
 02411   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 212, ) == 0x0
 02412   896   NtCreateMutant  (0x1f0001, 0x0, 0, ... 208, ) == 0x0
 02413   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 216, ) == 0x0
 02414   896   NtCreateMutant  (0x1f0001, 0x0, 0, ... 220, ) == 0x0
 02415   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 224, ) == 0x0
 02416   896   NtCreateMutant  (0x1f0001, 0x0, 0, ... 228, ) == 0x0
 02417   896   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 232, ) }, ... 232, ) == 0x0
 02418   896   NtQueryValueKey  (232,  (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02419   896   NtQueryValueKey  (232,  (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02420   896   NtQueryValueKey  (232,  (232, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   896   NtOpenKey  (0x1, {24, 232, 0x40, 0, 0,  (0x1, {24, 232, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   896   NtClose  (232, ... ) == 0x0
 02423   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1240380, ... ) }, 1240380, ... ) == 0x0
 02424   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 232, ) }, ... 232, ) == 0x0
 02425   896   NtQueryValueKey  (232,  (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (232, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02426   896   NtClose  (232, ... ) == 0x0
 02427   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 02428   896   NtQueryValueKey  (232,  (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (232, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02429   896   NtClose  (232, ... ) == 0x0
 02430   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 02432   896   NtQueryValueKey  (232,  (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (232, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02433   896   NtClose  (232, ... ) == 0x0
 02434   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02435   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 232, ) == 0x0
 02436   896   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 1240880, 188, ... 236, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1240880, 188, ... 236, 0x0, 0x0, 0x0, 188, ) == 0x0
 02437   896   NtRequestWaitReplyPort  (236, {200, 224, new_msg, 0, 3276848, 1384056, 12, 2}  (236, {200, 224, new_msg, 0, 3276848, 1384056, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0P\36\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0)5\2466\332ni\275H\36\25\0h\1\24\0\12\0\0\0\0\0\0\0H\36\25\0(\0\0\0P\36\25\0a<\14\276x\1\24\0(\0\0\0\356?\0\0\0\0\24\0\214\355\22\0\337\220\277\212\0\0\0\0X\26\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81919, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0)5\2466\332ni\275H\36\25\0h\1\24\0\12\0\0\0\0\0\0\0H\36\25\0(\0\0\0P\36\25\0a<\14\276x\1\24\0(\0\0\0\356?\0\0\0\0\24\0\214\355\22\0\337\220\277\212\0\0\0\0X\26\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 1252, 896, 81919, 0}  (236, {200, 224, new_msg, 0, 3276848, 1384056, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\1\0\5\0\4\0\0\0\2001\24\0P\36\25\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0)5\2466\332ni\275H\36\25\0h\1\24\0\12\0\0\0\0\0\0\0H\36\25\0(\0\0\0P\36\25\0a<\14\276x\1\24\0(\0\0\0\356?\0\0\0\0\24\0\214\355\22\0\337\220\277\212\0\0\0\0X\26\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1252, 896, 81919, 0} "\7\0\24\0\10\0\0\0\274\0\0\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2001\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0)5\2466\332ni\275H\36\25\0h\1\24\0\12\0\0\0\0\0\0\0H\36\25\0(\0\0\0P\36\25\0a<\14\276x\1\24\0(\0\0\0\356?\0\0\0\0\24\0\214\355\22\0\337\220\277\212\0\0\0\0X\26\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\260\355\22\0\372\31\221|D\365\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02438   896   NtRequestWaitReplyPort  (236, {96, 120, new_msg, 0, 1252, 896, 81915, 0}  (236, {96, 120, new_msg, 0, 1252, 896, 81915, 0} "\1\356\0\0A\2\11\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0,h\24\0\16\0\0\0\0\0\0\0\16\0\0\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 1252, 896, 81920, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 1252, 896, 81920, 0}  (236, {96, 120, new_msg, 0, 1252, 896, 81915, 0} "\1\356\0\0A\2\11\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0,h\24\0\16\0\0\0\0\0\0\0\16\0\0\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 1252, 896, 81920, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02439   896   NtClose  (232, ... ) == 0x0
 02440   896   NtClose  (236, ... ) == 0x0
 02441   896   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Linkage"}, ... 236, ) }, ... 236, ) == 0x0
 02442   896   NtQueryValueKey  (236,  (236, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02443   896   NtQueryValueKey  (236,  (236, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02444   896   NtQueryValueKey  (236,  (236, "Export", Partial, 958, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0C\09\0C\0-\0E\0E\0A\0F\0B\07\06\0F\0F\0A\02\0F\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\08\02\00\0-\09\02\07\0E\02\00\07\06\00\0A\0B\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0\0\0\0\0\276\3\0\0\215\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\270\36\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\215\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\216\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0.\37\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) , Partial, 958, ... TitleIdx=0, Type=7, Data= (236, "Export", Partial, 958, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0C\09\0C\0-\0E\0E\0A\0F\0B\07\06\0F\0F\0A\02\0F\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\08\02\00\0-\09\02\07\0E\02\00\07\06\00\0A\0B\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0\0\0\0\0\276\3\0\0\215\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0\270\36\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\04\07\02\0-\06\09\07\02\08\0E\0B\08\0A\07\0D\07\0}\0\377\377\377\377\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\215\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\1\0\1\04\0\0\300\0\0\0\0\216\11\0\0\344\4\0\0\200\3\0\0\27\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\20 \0\0\0\0\30\0\0\0\0\0\0\0p\365\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0v\0.\37\25\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\06\0C\01\0-\05\04\02\05\0C\00\0D\0E\02\07\0B\06\0}\0\377\377\377\377\0\0"}, 958, ) }, 958, ) == 0x0
 02445   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{FCC03A41-8CCC-4919-A472-69728EB8A7D7}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02446   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{AE7421B5-732D-4567-A6C1-5425C0DE27B6}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02447   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{97C2D9F4-6954-4EB3-8C9C-EEAFB76FFA2F}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02448   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{0D430A6F-0410-4A68-9820-927E20760AB4}"}, 0x0, 0, 3, 3, 0, 0, 0, ... 232, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 0, 0, ... 232, {status=0x0, info=0}, ) == 0x0
 02449   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{8AD4D806-081B-4446-A4DB-6273DFAED94F}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02450   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{E559B0C1-FA46-464D-B965-7E2AC2627EE9}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02451   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{CD3C64B8-DB76-44C8-9C02-70E6C1185259}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02452   896   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{21B8E9D5-3FC3-4F9D-8FA8-4CA01330DCD8}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02453   896   NtClose  (236, ... ) == 0x0
 02454   896   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 236, ) == 0x0
 02455   896   NtDeviceIoControlFile  (232, 236, 0x0, 0x0, 0x210096,  (232, 236, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0MICROSOFT.COM  \0", 24, 1160, ... {status=0x140178, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x140178, info=1311096},  (232, 236, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0MICROSOFT.COM  \0", 24, 1160, ... {status=0x140178, info=1311096}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02456   896   NtWaitForMultipleObjects  (1, (236, ), 1, 0, 0x0, ... ) == 0x0
 02457   896   NtClose  (236, ... ) == 0x0
 02458   896   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 236, ) }, ... 236, ) == 0x0
 02459   896   NtQueryValueKey  (236,  (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02460   896   NtQueryValueKey  (236,  (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02461   896   NtQueryValueKey  (236,  (236, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02462   896   NtClose  (236, ... ) == 0x0
 02463   896   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02464   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 1241712, ... ) }, 1241712, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02465   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 1241712, ... ) }, 1241712, ... ) == 0x0
 02466   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 02467   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 240, ) == 0x0
 02468   896   NtQuerySection  (240, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02469   896   NtClose  (236, ... ) == 0x0
 02470   896   NtMapViewOfSection  (240, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 24576, ) == 0x0
 02471   896   NtClose  (240, ... ) == 0x0
 02472   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02473   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02474   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02475   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02476   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02477   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02478   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02479   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02480   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02481   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02482   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02483   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02484   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0
 02485   896   NtProtectVirtualMemory  (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0
 02486   896   NtFlushInstructionCache  (-1, 1996230656, 152, ... ) == 0x0
 02487   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02488   896   NtQueryPerformanceCounter  (... {-1438799000, 16}, {3579545, 0}, ) == 0x0
 02489   896   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 240, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 240, {status=0x0, info=0}, ) == 0x0
 02490   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 236, ) == 0x0
 02491   896   NtDeviceIoControlFile  (240, 236, 0x0, 0x0, 0xf14014,  (240, 236, 0x0, 0x0, 0xf14014, "\3\0\0\0microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02492   896   NtClose  (236, ... ) == 0x0
 02493   896   NtClose  (240, ... ) == 0x0
 02494   896   NtDelayExecution  (0, {-1705032704, -2}, ...
NtAddAtom(>)	1	NtUserGetObjectInformation(>)	1	NtOpenEvent(>)	4	NtCreateEvent(>)	26
NtAdjustPrivilegesToken(>)	1	NtUserGetProcessWindowStation(>)	1	NtQueryPerformanceCounter(>)	4	NtFreeVirtualMemory(>)	28
NtCallbackReturn(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtOpenProcess(>)	29
NtCreateThread(>)	1	NtAccessCheck(>)	2	NtFsControlFile(>)	5	NtOpenFile(>)	30
NtEnumerateValueKey(>)	1	NtContinue(>)	2	NtGdiGetStockObject(>)	5	NtCreateFile(>)	31
NtGdiCreateBitmap(>)	1	NtCreateIoCompletion(>)	2	NtOpenProcessToken(>)	5	NtUserFindExistingCursorIcon(>)	34
NtGdiInit(>)	1	NtEnumerateKey(>)	2	NtSetInformationFile(>)	5	NtRequestWaitReplyPort(>)	39
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultUILanguage(>)	6	NtQueryAttributesFile(>)	41
NtGdiSelectBitmap(>)	1	NtNotifyChangeKey(>)	2	NtQueryVolumeInformationFile(>)	6	NtUserRegisterClassExWOW(>)	42
NtOpenKeyedEvent(>)	1	NtOpenDirectoryObject(>)	2	NtWaitForSingleObject(>)	6	NtQueryVirtualMemory(>)	54
NtOpenSymbolicLinkObject(>)	1	NtOpenThreadToken(>)	2	NtCreateMutant(>)	7	NtOpenSection(>)	55
NtQueryInstallUILanguage(>)	1	NtQueryKey(>)	2	NtQueryInformationProcess(>)	7	NtCreateSection(>)	76
NtQueryObject(>)	1	NtReadFile(>)	2	NtUserSystemParametersInfo(>)	7	NtQuerySystemInformation(>)	82
NtQuerySymbolicLinkObject(>)	1	NtUserRegisterWindowMessage(>)	2	NtQueryDebugFilterState(>)	8	NtUnmapViewOfSection(>)	82
NtQuerySystemTime(>)	1	NtWaitForMultipleObjects(>)	2	NtSetValueKey(>)	8	NtAllocateVirtualMemory(>)	95
NtRegisterThreadTerminatePort(>)	1	NtWriteFile(>)	2	NtOpenProcessTokenEx(>)	9	NtFlushInstructionCache(>)	101
NtResumeThread(>)	1	NtCreateSemaphore(>)	3	NtOpenThreadTokenEx(>)	9	NtWriteVirtualMemory(>)	116
NtSecureConnectPort(>)	1	NtDelayExecution(>)	3	NtQueryInformationFile(>)	9	NtMapViewOfSection(>)	142
NtSetInformationProcess(>)	1	NtDuplicateObject(>)	3	NtCreateKey(>)	11	NtOpenKey(>)	190
NtTestAlert(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryInformationToken(>)	12	NtQueryValueKey(>)	256
NtUserCallNoParam(>)	1	NtQueryDefaultLocale(>)	3	NtQuerySection(>)	13	NtProtectVirtualMemory(>)	319
NtUserCallOneParam(>)	1	NtSetInformationThread(>)	3	NtQueryDirectoryFile(>)	14	NtClose(>)	379
NtUserGetDC(>)	1	NtConnectPort(>)	4	NtDeviceIoControlFile(>)	24