Summary:


NtAddAtom(>)  1 
NtEnumerateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryInformationFile(>)  22 

NtCallbackReturn(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenThreadToken(>)  5 
NtFlushInstructionCache(>)  23 

NtDeviceIoControlFile(>)  1 
NtLockFile(>)  2 
NtResumeThread(>)  5 
NtQueryInformationProcess(>)  23 

NtDuplicateToken(>)  1 
NtNotifyChangeKey(>)  2 
NtFsControlFile(>)  6 
NtOpenProcessTokenEx(>)  26 

NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenThreadTokenEx(>)  26 

NtGdiInit(>)  1 
NtOpenEvent(>)  2 
NtReadVirtualMemory(>)  6 
NtQueryDirectoryFile(>)  26 

NtGdiQueryFontAssocInfo(>)  1 
NtOpenMutant(>)  2 
NtSetEventBoostPriority(>)  6 
NtQuerySystemInformation(>)  26 

NtGdiSelectBitmap(>)  1 
NtQueryInformationJobObject(>)  2 
NtTestAlert(>)  6 
NtSetInformationFile(>)  26 

NtGetContextThread(>)  1 
NtQueryInstallUILanguage(>)  2 
NtRegisterThreadTerminatePort(>)  7 
NtCreateSection(>)  30 

NtOpenKeyedEvent(>)  1 
NtQueryVirtualMemory(>)  2 
NtWriteFile(>)  7 
NtOpenSection(>)  33 

NtOpenProcess(>)  1 
NtReleaseMutant(>)  2 
NtOpenProcessToken(>)  8 
NtQueryInformationToken(>)  35 

NtQueryObject(>)  1 
NtSetValueKey(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtUnmapViewOfSection(>)  44 

NtQuerySystemTime(>)  1 
NtUnlockFile(>)  2 
NtReadFile(>)  9 
NtUserUnregisterClass(>)  45 

NtSecureConnectPort(>)  1 
NtUserWaitForInputIdle(>)  2 
NtSetInformationThread(>)  9 
NtUserFindExistingCursorIcon(>)  48 

NtSetContextThread(>)  1 
NtConnectPort(>)  3 
NtUserSystemParametersInfo(>)  10 
NtQueryAttributesFile(>)  51 

NtSetEvent(>)  1 
NtCreateMutant(>)  3 
NtEnumerateValueKey(>)  11 
NtProtectVirtualMemory(>)  55 

NtUserCallNoParam(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtFreeVirtualMemory(>)  11 
NtOpenFile(>)  56 

NtUserCallOneParam(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtWaitForSingleObject(>)  11 
NtDelayExecution(>)  60 

NtUserGetDC(>)  1 
NtQueryInformationThread(>)  3 
NtSetInformationProcess(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtUserGetThreadDesktop(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtWriteVirtualMemory(>)  13 
NtMapViewOfSection(>)  74 

NtUserKillTimer(>)  1 
NtSetInformationObject(>)  3 
NtQueryDefaultLocale(>)  14 
NtAllocateVirtualMemory(>)  75 

NtUserSetTimer(>)  1 
NtTerminateProcess(>)  3 
NtQuerySection(>)  16 
NtUserGetClassInfo(>)  82 

NtUserSetWindowsHookEx(>)  1 
NtTerminateThread(>)  3 
NtQueryDebugFilterState(>)  17 
NtOpenKey(>)  148 

NtUserUnhookWindowsHookEx(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtContinue(>)  20 
NtQueryValueKey(>)  188 

NtAccessCheck(>)  2 
NtCreateKey(>)  5 
NtRequestWaitReplyPort(>)  20 
NtClose(>)  245 

NtCreateIoCompletion(>)  2 
NtCreateThread(>)  5 
NtCreateEvent(>)  21 

NtCreateProcessEx(>)  2 
NtDuplicateObject(>)  5 

Trace:
 00001   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   436   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   436   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   436   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   436   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   436   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   436   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   436   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   436   NtClose  (12, ... ) == 0x0
 00014   436   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   436   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   436   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   436   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   436   NtClose  (16, ... ) == 0x0
 00021   436   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   436   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   436   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   436   NtClose  (16, ... ) == 0x0
 00026   436   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   436   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   436   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   436   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 432, 436, 1495, 0} "\0T\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 432, 436, 1495, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 432, 436, 1495, 0} "\0T\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   436   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   436   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   436   NtClose  (16, ... ) == 0x0
 00036   436   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00037   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00038   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00039   436   NtClose  (28, ... ) == 0x0
 00040   436   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00041   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00042   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00043   436   NtClose  (28, ... ) == 0x0
 00044   436   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00045   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00046   436   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00047   436   NtClose  (28, ... ) == 0x0
 00048   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00049   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00050   436   NtClose  (28, ... ) == 0x0
 00051   436   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00052   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00053   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 432, 436, 1496, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 432, 436, 1496, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 432, 436, 1496, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00055   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 8, ) == 0x0
 00056   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 8, ... (0x407000), 4096, 4, ) == 0x0
 00057   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00058   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00059   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00060   436   NtClose  (28, ... ) == 0x0
 00061   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00062   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00063   436   NtClose  (28, ... ) == 0x0
 00064   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00065   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00066   436   NtClose  (28, ... ) == 0x0
 00067   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00068   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00069   436   NtClose  (28, ... ) == 0x0
 00070   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00071   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00072   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00073   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00074   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00075   436   NtClose  (28, ... ) == 0x0
 00076   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00077   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00078   436   NtClose  (28, ... ) == 0x0
 00079   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00080   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00081   436   NtClose  (28, ... ) == 0x0
 00082   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00083   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00084   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00085   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00086   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00087   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00088   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00089   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00090   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00091   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00092   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00093   436   NtClose  (28, ... ) == 0x0
 00094   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00095   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00096   436   NtClose  (28, ... ) == 0x0
 00097   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00098   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00099   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00100   436   NtProtectVirtualMemory  (-1, (0x407000), 1514, 4, ... (0x407000), 4096, 4, ) == 0x0
 00101   436   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00102   436   NtFlushInstructionCache  (-1, 4222976, 1514, ... ) == 0x0
 00103   436   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00104   436   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00105   436   NtClose  (28, ... ) == 0x0
 00106   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00107   436   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00108   436   NtClose  (28, ... ) == 0x0
 00109   436   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00110   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00111   436   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00112   436   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00113   436   NtClose  (28, ... ) == 0x0
 00114   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00115   436   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   436   NtClose  (28, ... ) == 0x0
 00117   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00118   436   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00119   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00121   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0Ck\314\235\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 432, 436, 1497, 0} "XQ\26\0\0\0\0\0\0\0\0\0Ck\314\235\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 432, 436, 1497, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0Ck\314\235\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 432, 436, 1497, 0} "XQ\26\0\0\0\0\0\0\0\0\0Ck\314\235\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00122   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   436   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00124   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00125   436   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00126   436   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00127   436   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00128   436   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00129   436   NtClose  (-2147482032, ... ) == 0x0
 00130   436   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00131   436   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00132   436   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00133   436   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00134   436   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   436   NtClose  (-2147482032, ... ) == 0x0
 00136   436   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00137   436   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   436   NtClose  (-2147482032, ... ) == 0x0
 00139   436   NtQueryDefaultLocale  (0, -136115700, ... ) == 0x0
 00140   436   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00141   436   NtUserCallNoParam  (24, ... ) == 0x0
 00142   436   NtGdiCreateCompatibleDC  (0, ...
 00143   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00142   436   NtGdiCreateCompatibleDC  ... ) == 0x100103e4
 00144   436   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00145   436   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00146   436   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050406
 00147   436   NtGdiCreateSolidBrush  (0, 0, ...
 00148   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00147   436   NtGdiCreateSolidBrush  ... ) == 0xe10040c
 00149   436   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00150   436   NtGdiCreateCompatibleDC  (0, ... ) == 0x37010415
 00151   436   NtGdiSelectBitmap  (922813461, 319095814, ... ) == 0x185000f
 00152   436   NtUserGetThreadDesktop  (436, 0, ... ) == 0x2c
 00153   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00154   436   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00155   436   NtClose  (52, ... ) == 0x0
 00156   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00157   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00158   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00159   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00160   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00161   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00162   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00163   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00164   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00165   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00166   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00168   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00169   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ...
 00170   436   NtAllocateVirtualMemory  (-1, 5664768, 0, 4096, 4096, 32, ... 5664768, 4096, ) == 0x0
 00169   436   NtUserRegisterClassExWOW  ... ) == 0x810cc01d
 00171   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00172   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00173   436   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00174   436   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00175   436   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00176   436   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00177   436   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00178   436   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00179   436   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00180   436   NtCallbackReturn  (0, 0, 0, ...
 00181   436   NtGdiInit  (... ) == 0x1
 00182   436   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00183   436   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00184   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00185   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00186   436   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00187   436   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00188   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00189   436   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00190   436   NtClose  (52, ... ) == 0x0
 00191   436   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00192   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00193   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00194   436   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00195   436   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00196   436   NtClose  (52, ... ) == 0x0
 00197   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00199   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00200   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00201   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00202   436   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   436   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00204   436   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   436   NtClose  (52, ... ) == 0x0
 00206   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00207   436   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   436   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   436   NtClose  (52, ... ) == 0x0
 00210   436   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00211   436   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   436   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00213   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   436   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00215   436   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00217   436   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   436   NtClose  (56, ... ) == 0x0
 00219   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   436   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00222   436   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00223   436   NtClose  (56, ... ) == 0x0
 00224   436   NtQueryDefaultUILanguage  (1241756, ...
 00225   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00226   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00227   436   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00228   436   NtClose  (-2147482032, ... ) == 0x0
 00229   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00230   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   436   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00232   436   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   436   NtClose  (-2147482044, ... ) == 0x0
 00234   436   NtClose  (-2147482032, ... ) == 0x0
 00224   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00235   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   436   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00237   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00238   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00239   436   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0
 00240   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   436   NtQueryDefaultUILanguage  (2013024600, ...
 00242   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00243   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00244   436   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00245   436   NtClose  (-2147482032, ... ) == 0x0
 00246   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00247   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   436   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00249   436   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   436   NtClose  (-2147482044, ... ) == 0x0
 00251   436   NtClose  (-2147482032, ... ) == 0x0
 00241   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00252   436   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00253   436   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00254   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1501, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1501, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1501, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\18\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00256   436   NtClose  (56, ... ) == 0x0
 00257   436   NtClose  (60, ... ) == 0x0
 00258   436   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00259   436   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00260   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00261   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00263   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00264   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00266   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00267   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00268   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00269   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00270   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00271   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00272   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00273   436   NtClose  (56, ... ) == 0x0
 00274   436   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0
 00275   436   NtClose  (64, ... ) == 0x0
 00276   436   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00277   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00278   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00279   436   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00280   436   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00281   436   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00282   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00284   436   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00285   436   NtClose  (72, ... ) == 0x0
 00286   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00287   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00288   436   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00289   436   NtClose  (72, ... ) == 0x0
 00290   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   436   NtClose  (68, ... ) == 0x0
 00292   436   NtClose  (64, ... ) == 0x0
 00293   436   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00294   436   NtClose  (56, ... ) == 0x0
 00295   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00296   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00297   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00298   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00299   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00300   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00301   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00302   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00303   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00304   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00305   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00306   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00307   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00308   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00309   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00310   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00311   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00312   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00313   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00314   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00315   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00316   436   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00317   436   NtQueryDefaultUILanguage  (1239368, ...
 00318   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00319   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00320   436   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00321   436   NtClose  (-2147482032, ... ) == 0x0
 00322   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00323   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   436   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00325   436   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   436   NtClose  (-2147482044, ... ) == 0x0
 00327   436   NtClose  (-2147482032, ... ) == 0x0
 00317   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00328   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00330   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00331   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00332   436   NtClose  (56, ... ) == 0x0
 00333   436   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0
 00334   436   NtClose  (64, ... ) == 0x0
 00335   436   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00336   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00337   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00338   436   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00339   436   NtClose  (64, ... ) == 0x0
 00340   436   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0
 00341   436   NtClose  (56, ... ) == 0x0
 00342   436   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00343   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00344   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00345   436   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0
 00346   436   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00347   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1502, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1502, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1502, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00349   436   NtClose  (56, ... ) == 0x0
 00350   436   NtClose  (64, ... ) == 0x0
 00351   436   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00352   436   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00353   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00354   436   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00355   436   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00356   436   NtUserGetDC  (0, ... ) == 0x1010053
 00357   436   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00358   436   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00359   436   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00360   436   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00361   436   NtAccessCheck  (1326824, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00362   436   NtClose  (64, ... ) == 0x0
 00363   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00364   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00365   436   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00366   436   NtClose  (64, ... ) == 0x0
 00367   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00368   436   NtSetInformationObject  (64, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00369   436   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00370   436   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   436   NtClose  (56, ... ) == 0x0
 00372   436   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00373   436   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00374   436   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00375   436   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00377   436   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   436   NtClose  (68, ... ) == 0x0
 00379   436   NtClose  (56, ... ) == 0x0
 00380   436   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00381   436   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00382   436   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 56, ) }, ... 56, ) == 0x0
 00383   436   NtEnumerateValueKey  (56, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00384   436   NtClose  (56, ... ) == 0x0
 00385   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00386   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03b
 00387   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03d
 00388   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00389   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc03f
 00390   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00391   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc041
 00392   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00393   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc043
 00394   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc045
 00395   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00396   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc047
 00397   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00398   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc049
 00399   436   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00400   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00401   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04b
 00402   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00403   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04d
 00404   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00405   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04f
 00406   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc051
 00407   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00408   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc053
 00409   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00410   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc055
 00411   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc057
 00412   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc059
 00414   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00415   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05b
 00416   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00417   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05d
 00418   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00419   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05f
 00420   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00421   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc017
 00422   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00423   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc019
 00424   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00425   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ...
 00426   436   NtAllocateVirtualMemory  (-1, 5668864, 0, 4096, 4096, 32, ... 5668864, 4096, ) == 0x0
 00425   436   NtUserRegisterClassExWOW  ... ) == 0x810cc018
 00427   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00428   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01a
 00429   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00430   436   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc01c
 00431   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00432   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01e
 00433   436   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00434   436   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810cc01b
 00435   436   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00436   436   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810cc068
 00437   436   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00438   436   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc06a
 00439   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00440   436   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00441   436   NtClose  (56, ... ) == 0x0
 00442   436   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {432, 0}, ... 56, ) == 0x0
 00443   436   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00444   436   NtClose  (56, ... ) == 0x0
 00445   436   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00446   436   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00447   436   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00448   436   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00449   436   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   436   NtClose  (56, ... ) == 0x0
 00451   436   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00452   436   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00453   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00454   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00455   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03b
 00456   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00457   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03d
 00458   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00459   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00460   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03f
 00461   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00462   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00463   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc041
 00464   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00465   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00466   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc043
 00467   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00468   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc045
 00469   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00470   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00471   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc047
 00472   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00473   436   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00474   436   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810cc049
 00475   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04b
 00478   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00479   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00480   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04d
 00481   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00482   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00483   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04f
 00484   436   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00485   436   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810cc051
 00486   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00487   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00488   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc053
 00489   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00490   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00491   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc055
 00492   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc057
 00493   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00494   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00495   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc059
 00496   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00497   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00498   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05b
 00499   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00500   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00501   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05d
 00502   436   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00503   436   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00504   436   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05f
 00505   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00506   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00507   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00508   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00509   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00510   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00511   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00512   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00513   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00514   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00515   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00516   436   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00517   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00518   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00519   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00520   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00521   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00522   436   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00523   436   NtTestAlert  (... ) == 0x0
 00524   436   NtContinue  (1244464, 1, ...
 00525   436   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x42923c,}, 4, ... ) == 0x0
 00526   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00527   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00528   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LZ32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00529   436   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dc0000), 0x0, 12288, ) == 0x0
 00530   436   NtClose  (56, ... ) == 0x0
 00531   436   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244956,  (0x40100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 2, 1, 5, 96, 0, 0, ... }, 0x0, 2, 1, 5, 96, 0, 0, ...
 00532   436   NtClose  (-2147482032, ... ) == 0x0
 00531   436   NtCreateFile  ... 56, {status=0x0, info=2}, ) == 0x0
 00533   436   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "SZDD\210\360'3A\0\0\220\0\0\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217", 17878, 0x0, 0, ... {status=0x0, info=17878}, ) , 17878, 0x0, 0, ... {status=0x0, info=17878}, ) == 0x0
 00534   436   NtClose  (56, ... ) == 0x0
 00535   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 1243636, ... ) }, 1243636, ... ) == 0x0
 00536   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244368,  (0x80100080, {24, 0, 0x40, 0, 1244368, "\??\C:\WINDOWS\System32\vcmgcd32.dl_"}, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00537   436   NtQueryVolumeInformationFile  (56, 1244528, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00538   436   NtQueryInformationFile  (56, 1244420, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00539   436   NtQueryInformationFile  (56, 1244628, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00540   436   NtSetInformationFile  (56, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00541   436   NtSetInformationFile  (56, 1244660, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00542   436   NtReadFile  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00543   436   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9043968, 524288, ) == 0x0
 00544   436   NtAllocateVirtualMemory  (-1, 9043968, 0, 4096, 4096, 4, ... 9043968, 4096, ) == 0x0
 00545   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243640, ... ) }, 1243640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244372,  (0xc0100080, {24, 0, 0x40, 0, 1244372, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00547   436   NtClose  (-2147482032, ... ) == 0x0
 00546   436   NtCreateFile  ... 68, {status=0x0, info=2}, ) == 0x0
 00548   436   NtQueryVolumeInformationFile  (68, 1244532, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00549   436   NtQueryInformationFile  (68, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00550   436   NtAllocateVirtualMemory  (-1, 1335296, 0, 8192, 4096, 4, ... 1335296, 8192, ) == 0x0
 00551   436   NtAllocateVirtualMemory  (-1, 1343488, 0, 36864, 4096, 4, ... 1343488, 36864, ) == 0x0
 00552   436   NtAllocateVirtualMemory  (-1, 1380352, 0, 36864, 4096, 4, ... 1380352, 36864, ) == 0x0
 00553   436   NtQueryInformationFile  (56, 1244892, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00554   436   NtSetInformationFile  (56, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00555   436   NtSetInformationFile  (56, 1244924, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00556   436   NtReadFile  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (56, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "SZDD\210\360'3A\0\0\220\0\0", ) , ) == 0x0
 00557   436   NtSetInformationFile  (56, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00558   436   NtSetInformationFile  (68, 1244912, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00559   436   NtReadFile  (56, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864},  (56, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=17864}, "\377MZ\220\0\3\0\0\0}\4\365\360\377\377\0\0\270\365\360\242\1\1@\1\4\17\15\34\11\330\365\360\16\377\37\272\16\0\264\11\315!\377\270\1L\315!Thi\377s progra\377m cannot\377 be run \377in DOS m\377ode.\15\15\12$\376\1\4ei\350\341!\10\206}\262t\5\242\24\210\262$u\0\337C\27\225\262(u\2\207\262}hu\0\311\27\220\262 \225\2=\202\233\2Richt\1\34\15\376\270\5PE\0\0L\1\4\337\0R\344\315D\270\5\340\0\237\16!\13\1\6\306\0\365\360\260\252\1\30\323\1\20\365\360`\1\2\20 \364\2\365\0\370\361\364\365\372\3\1\363\3\365\360\341\2\372\4\34\23*\25\363\3\220Q\0\373\0F\365\360\30K\0\0d<\270\15Z\32\1\0\240\7Z\35}\35\304\215\35\362\34\32\20\247\35\260\25.t7ext\365\360\326A\362\4\345\1\374\35\24\260\25 \0\4\340.d7ata\365\360\372\207\366\4\365\7\374\260\26\10\0\300Share\252L\20\220\1\1\360\362\4p\376\35\0\377\360.reloc\0\247\0\336\10f\23\364\2\200&-\0\1B\260\35o-\177-\217-\237-\257-\277-\0\317-\337-\357-\377-\17=\37=/=?=\0O=_=o=\177=\217=\237=\257=\277=\0\317=\337=\357=\377=\17M\37M/M?M\0OM_MoM\177M\217M\237M\257M\277M\0\317M\337M\357M\377M\17]\37]/]?]\0O]_]o]\177]\217]\237]\257]\277]\0\317]\337]\357]\377]\17m\37m/m?m\0Om_mom\177m\217m\237m\257m\277m\0\317m\337m\357m", ) , ) == 0x0
 00560   436   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0ei\350\341!\10\206\262!\10\206\262!\10\206\262\242\24\210\262$\10\206\262C\27\225\262(\10\206\262!\10\207\262h\10\206\262\311\27\220\262 \10\206\262\311\27\202\262 \10\206\262Rich!\10\206\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0R\344\315D\0\0\0\0\0\0\0\0\340\0\16!\13\1\6\0\0P\0\0\0\260\0\0\0\0\0\00D\0\0\0\20\0\0\0`\0\0\0\0\0\20\0\20\0\0\0\20\0\0\4\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\220Q\0\0F\0\0\0\30K\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\04\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\326A\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 00561   436   NtWriteFile  (68, 0, 0, 0,  (68, 0, 0, 0, "\0\20\0\0D\1\0\0<1@1L1P1\1`1l1p1|1\2001\2141\2201\2341\2401\2541\2601Z2\3262\3532\33\263>3E3Y3a3\2123\2243\2733\3013\3243\3343\3473\3543\3623\3773\104\234\304\36454=4\1774\2204\376475a5n5\2055\2145\2355\3245\3465\3535\226\3456\3636\3716\3776\77(7-7\2477\3127\3277\3557\18\148\268D8Y8_8f8s8\2018\3148\3318\3428\3578\3668\3758\119\179$999N9d9j9\2029\2159\2239\2359\2519\3249\3369\3609\3729\27:$:/:;:V:[:\225:\317:\344:\10;\25;6;O;n;\255;\272;\341;\15\16>\25>@>M>U>c>i>p>\202>\217>\227>\245>\253>\262>\37?&?+?1?L?e?\236?\250?\257?\267?\302?\325?\334?\366?\0\0\0 \0\0,\2\0\0&0+0\2640\3150\3320\3520\3570\3670!101l1\2011\3151\3541\3611\3671\132\222\272\352*2H2_2k2y2\2142\2362\2532\3372\3702\173\313/343:3@3F3N3T3Z3b3k3s3\1773\2133\2213\2273\2623\2723\3253\3353\3743\204\324(4.444F4P4Z4h4m4\2044\2114\2174\2244\2324\2404\2604\3134\3264\3344\3564\3644\65\145"5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) 5/5;5A5I5O5h5s5", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00562   436   NtQueryInformationFile  (56, 1244896, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00563   436   NtSetInformationFile  (68, 1244896, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00564   436   NtFreeVirtualMemory  (-1, (0x146000), 81920, 16384, ... (0x146000), 81920, ) == 0x0
 00565   436   NtClose  (68, ... ) == 0x0
 00566   436   NtClose  (56, ... ) == 0x0
 00567   436   NtUnmapViewOfSection  (-1, 0x73dc0000, ... ) == 0x0
 00568   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1242748, ... ) }, 1242748, ... ) == 0x0
 00569   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00570   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 68, ) == 0x0
 00571   436   NtClose  (56, ... ) == 0x0
 00572   436   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 36864, ) == 0x0
 00573   436   NtClose  (68, ... ) == 0x0
 00574   436   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00575   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1243064, ... ) }, 1243064, ... ) == 0x0
 00576   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 56, ) == 0x0
 00578   436   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   436   NtClose  (68, ... ) == 0x0
 00580   436   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 69632, ) == 0x0
 00581   436   NtClose  (56, ... ) == 0x0
 00582   436   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 128, ) == 0x0
 00583   436   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 128, ... (0x10001000), 4096, 4, ) == 0x0
 00584   436   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00585   436   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00586   436   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00587   436   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00588   436   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00589   436   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00590   436   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00591   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242280, ... ) }, 1242280, ... ) == 0x0
 00595   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00596   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 68, ) == 0x0
 00597   436   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00598   436   NtClose  (56, ... ) == 0x0
 00599   436   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00600   436   NtClose  (68, ... ) == 0x0
 00601   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241476, ... ) }, 1241476, ... ) == 0x0
 00605   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00606   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 56, ) == 0x0
 00607   436   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00608   436   NtClose  (68, ... ) == 0x0
 00609   436   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00610   436   NtClose  (56, ... ) == 0x0
 00611   436   NtProtectVirtualMemory  (-1, (0x10001000), 308, 4, ... (0x10001000), 4096, 64, ) == 0x0
 00612   436   NtProtectVirtualMemory  (-1, (0x10001000), 4096, 64, ... (0x10001000), 4096, 4, ) == 0x0
 00613   436   NtFlushInstructionCache  (-1, 268439552, 308, ... ) == 0x0
 00614   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00615   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00616   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00617   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00618   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vcmgcd32.dll"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 00619   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "_kuku_joker_v3.09_"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00620   436   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x0
 00621   436   NtUserSetWindowsHookEx  (268435456, 1242684, 0, 3, 268446576, 2, ... ) == 0x3004d
 00622   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9568256, 1048576, ) == 0x0
 00623   436   NtAllocateVirtualMemory  (-1, 10596352, 0, 20480, 4096, 4, ... 10596352, 20480, ) == 0x0
 00624   436   NtProtectVirtualMemory  (-1, (0xa1b000), 4096, 260, ... (0xa1b000), 4096, 4, ) == 0x0
 00625   436   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 68, {432, 568}, ) == 0x0
 00626   436   NtQueryInformationThread  (68, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=432,Tid=568,}, 0x0, ) == 0x0
 00627   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0D\0\0\0\260\1\0\08\2\0\0" ... {28, 56, reply, 0, 432, 436, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\260\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 432, 436, 1518, 0}  (24, {28, 56, new_msg, 0, 0, 2147347448, 0, 0} "\0\0\0\0\1\0\1\0E\0R\03\02\0D\0\0\0\260\1\0\08\2\0\0" ... {28, 56, reply, 0, 432, 436, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0D\0\0\0\260\1\0\08\2\0\0" )  ) == 0x0
 00628   436   NtResumeThread  (68, ... 1, ) == 0x0
 00629   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10616832, 1048576, ) == 0x0
 00630   436   NtAllocateVirtualMemory  (-1, 11644928, 0, 20480, 4096, 4, ... 11644928, 20480, ) == 0x0
 00631   436   NtProtectVirtualMemory  (-1, (0xb1b000), 4096, 260, ...
 00632   568   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 72, ) == 0x0
 00633   568   NtWaitForSingleObject  (72, 0, 0x0, ...
 00631   436   NtProtectVirtualMemory  ... (0xb1b000), 4096, 4, ) == 0x0
 00634   436   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 76, {432, 572}, ) == 0x0
 00635   436   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=432,Tid=572,}, 0x0, ) == 0x0
 00636   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 432, 436, 1518, 0}  (24, {28, 56, new_msg, 0, 432, 436, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\260\1\0\0<\2\0\0" ... {28, 56, reply, 0, 432, 436, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\260\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 432, 436, 1519, 0}  (24, {28, 56, new_msg, 0, 432, 436, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\260\1\0\0<\2\0\0" ... {28, 56, reply, 0, 432, 436, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0L\0\0\0\260\1\0\0<\2\0\0" )  ) == 0x0
 00637   436   NtResumeThread  (76, ... 1, ) == 0x0
 00638   436   NtUserSetTimer  (0, 0, 4096, 268451664, ... ) == 0x7ff9
 00639   572   NtWaitForSingleObject  (72, 0, 0x0, ...
 00640   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11665408, 1048576, ) == 0x0
 00641   436   NtAllocateVirtualMemory  (-1, 12693504, 0, 20480, 4096, 4, ... 12693504, 20480, ) == 0x0
 00642   436   NtProtectVirtualMemory  (-1, (0xc1b000), 4096, 260, ... (0xc1b000), 4096, 4, ) == 0x0
 00643   436   NtCreateThread  (0x1f03ff, 0x0, -1, 1242468, 1243184, 1, ... 80, {432, 588}, ) == 0x0
 00644   436   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=432,Tid=588,}, 0x0, ) == 0x0
 00645   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 432, 436, 1519, 0}  (24, {28, 56, new_msg, 0, 432, 436, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\260\1\0\0L\2\0\0" ... {28, 56, reply, 0, 432, 436, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\260\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 432, 436, 1520, 0}  (24, {28, 56, new_msg, 0, 432, 436, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\260\1\0\0L\2\0\0" ... {28, 56, reply, 0, 432, 436, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\03\02\0P\0\0\0\260\1\0\0L\2\0\0" )  ) == 0x0
 00646   436   NtResumeThread  (80, ... 1, ) == 0x0
 00647   436   NtOpenSection  (0x6, {24, 52, 0x0, 0, 0,  (0x6, {24, 52, 0x0, 0, 0, "m_Tem_v3.06"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648   436   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "m_Tem_v3.06"}, {20480, 0}, 4, 134217728, 0, ... }, {20480, 0}, 4, 134217728, 0, ...
 00649   588   NtWaitForSingleObject  (72, 0, 0x0, ...
 00648   436   NtCreateSection  ... 84, ) == 0x0
 00650   436   NtSetEventBoostPriority  (72, ...
 00633   568   NtWaitForSingleObject  ... ) == 0x0
 00651   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00652   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00653   568   NtSetEventBoostPriority  (72, ...
 00639   572   NtWaitForSingleObject  ... ) == 0x0
 00654   572   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00655   572   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00656   572   NtSetEventBoostPriority  (72, ...
 00649   588   NtWaitForSingleObject  ... ) == 0x0
 00657   588   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00658   588   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00659   588   NtTestAlert  (... ) == 0x0
 00660   588   NtContinue  (12713264, 1, ...
 00661   588   NtRegisterThreadTerminatePort  (24, ...
 00656   572   NtSetEventBoostPriority  ... ) == 0x0
 00653   568   NtSetEventBoostPriority  ... ) == 0x0
 00650   436   NtSetEventBoostPriority  ... ) == 0x0
 00662   572   NtTestAlert  (...
 00663   568   NtTestAlert  (...
 00664   436   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ...
 00662   572   NtTestAlert  ... ) == 0x0
 00663   568   NtTestAlert  ... ) == 0x0
 00664   436   NtMapViewOfSection  ... (0x880000), {0, 0}, 20480, ) == 0x0
 00661   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 00665   572   NtContinue  (11664688, 1, ...
 00666   436   NtUnmapViewOfSection  (-1, 0x880000, ...
 00667   588   NtDelayExecution  (0, {-20480000, -1}, ...
 00668   572   NtRegisterThreadTerminatePort  (24, ...
 00669   568   NtContinue  (10616112, 1, ...
 00668   572   NtRegisterThreadTerminatePort  ... ) == 0x0
 00670   568   NtRegisterThreadTerminatePort  (24, ...
 00671   572   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... }, ...
 00670   568   NtRegisterThreadTerminatePort  ... ) == 0x0
 00671   572   NtOpenKey  ... 88, ) == 0x0
 00672   568   NtDelayExecution  (0, {-40960000, -1}, ...
 00673   572   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... , Partial, 144, ...
 00666   436   NtUnmapViewOfSection  ... ) == 0x0
 00674   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1243652, ... ) }, 1243652, ... ) == 0x0
 00675   436   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1332128, 1332120, 0, 1243992}  (24, {20, 48, new_msg, 0, 1332128, 1332120, 0, 1243992} "\0\0\0\0\2\0\1\0h\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 432, 436, 1521, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 432, 436, 1521, 0}  (24, {20, 48, new_msg, 0, 1332128, 1332120, 0, 1243992} "\0\0\0\0\2\0\1\0h\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 432, 436, 1521, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00676   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243660,  (0x80100080, {24, 0, 0x40, 0, 1243660, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00677   436   NtQueryDirectoryFile  (-2147482032, 0, 0, 0, -519778304, 4096, Names, 1,  (-2147482032, 0, 0, 0, -519778304, 4096, Names, 1, "~1.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00678   436   NtClose  (-2147482032, ...
 00673   572   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00679   572   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00680   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00681   572   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00682   572   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00683   572   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00684   572   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00678   436   NtClose  ... ) == 0x0
 00676   436   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00685   436   NtClose  (100, ... ) == 0x0
 00686   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243640,  (0xc0100080, {24, 0, 0x40, 0, 1243640, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00688   436   NtClose  (-2147482032, ... ) == 0x0
 00689   436   NtQueryDirectoryFile  (-2147482032, 0, 0, 0, -519778304, 4096, Names, 1,  (-2147482032, 0, 0, 0, -519778304, 4096, Names, 1, "~1.tmp.exe", 1, ... , 1, ...
 00684   572   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00690   572   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00691   572   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00692   572   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00693   572   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00694   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00695   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00689   436   NtQueryDirectoryFile  ... ) == STATUS_NO_SUCH_FILE
 00696   436   NtClose  (-2147482032, ... ) == 0x0
 00687   436   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00697   436   NtQueryVolumeInformationFile  (108, 1243800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00698   436   NtQueryInformationFile  (108, 1243692, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00699   436   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... , 43520, 0x0, 0, ...
 00695   572   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00700   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00701   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\276\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\277\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\276\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\277\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\276\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\276\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\277\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\277\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\300\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\301\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00702   572   NtClose  (104, ... ) == 0x0
 00703   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00704   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00705   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00699   436   NtWriteFile  ... {status=0x0, info=43520}, ) == 0x0
 00706   436   NtClose  (108, ... ) == 0x0
 00707   436   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00708   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1240364, ... ) }, 1240364, ... ) == 0x0
 00709   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00710   436   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00711   436   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 108, ...
 00705   572   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00712   572   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00713   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\312\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\312\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\313\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\312\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\312\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\313\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\312\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\312\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\313\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00714   572   NtClose  (104, ... ) == 0x0
 00715   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00716   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00717   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00718   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\317\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\317\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\320\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\317\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\317\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\320\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\317\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\317\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\320\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00719   572   NtClose  (104, ... ) == 0x0
 00720   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 00721   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00722   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00723   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\324\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\324\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\325\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\324\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\324\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\325\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\324\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\324\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\325\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00724   572   NtClose  (104, ... ) == 0x0
 00725   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 00726   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00727   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00728   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\331\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\331\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\332\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\331\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\331\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\332\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\331\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\331\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\332\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\333\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00729   572   NtClose  (104, ... ) == 0x0
 00730   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 00731   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00732   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00733   572   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00734   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\337\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\337\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\340\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\337\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\337\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\340\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\337\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\337\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\340\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00735   572   NtClose  (104, ... ) == 0x0
 00736   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 00737   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00738   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00739   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\344\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\344\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\345\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\344\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\344\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\345\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\344\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\344\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\345\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00740   572   NtClose  (104, ... ) == 0x0
 00741   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 00742   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00743   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00744   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\351\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\351\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\352\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\351\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\351\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\352\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\351\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\351\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\352\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00745   572   NtClose  (104, ... ) == 0x0
 00746   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 00747   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00748   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00749   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\356\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\356\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\357\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\356\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\356\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\357\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\356\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\356\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\357\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\360\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\361\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00750   572   NtClose  (104, ... ) == 0x0
 00751   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 00752   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00753   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00754   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\363\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\363\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\364\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\363\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\363\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\364\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\363\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\363\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\364\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0\204\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\210T\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\364\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\365\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\366\2\0\0\260\1\0\0<\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00755   572   NtClose  (104, ... ) == 0x0
 00756   572   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 00757   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00758   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00759   572   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00760   572   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\371\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\371\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\372\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\2\0\0\260\1\0\0<\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\2\0\0\260\1\0\0<\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\2\0\0\260\1\0\0<\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\2\0\0\260\1\0\0<\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\375\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0@H\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\371\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\371\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\372\2\0\0\260\1\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\2\0\0\260\1\0\0<\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\2\0\0\260\1\0\0<\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\2\0\0\260\1\0\0<\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\2\0\0\260\1\0\0<\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\375\2\0\0\260\1\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\240\376\261\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0@H\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00761   572   NtClose  (104, ... ) == 0x0
 00762   572   NtClose  (100, ... ) == 0x0
 00763   572   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00764   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00765   572   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 00766   572   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00767   572   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00768   572   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   572   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   572   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00771   572   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00772   572   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00773   572   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00774   572   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00775   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00776   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00777   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00778   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00779   572   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00780   572   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   572   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00782   572   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00783   572   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00784   572   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00785   572   NtClose  (116, ... ) == 0x0
 00786   572   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00787   572   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00788   572   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00789   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00790   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00791   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00792   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00793   572   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00794   572   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   572   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00796   572   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00797   572   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00798   572   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00799   572   NtClose  (116, ... ) == 0x0
 00800   572   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00801   572   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00802   572   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00803   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00804   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00805   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00806   572   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00807   572   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00808   572   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   572   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00810   572   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00811   572   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00812   572   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00813   572   NtClose  (116, ... ) == 0x0
 00814   572   NtClose  (112, ... ) == 0x0
 00815   572   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 00816   572   NtClose  (88, ... ) == 0x0
 00817   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00818   572   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00819   572   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00820   572   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   572   NtClose  (88, ... ) == 0x0
 00822   572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00823   572   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00824   572   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 7, 96, ... 112, {status=0x0, info=1}, ) }, 7, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00825   572   NtLockFile  (112, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 00826   572   NtQueryInformationFile  (112, 1348400, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00827   572   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ... 12713984, 1052672, ) == 0x0
 00828   572   NtAllocateVirtualMemory  (-1, 12713984, 0, 235, 4096, 4, ... 12713984, 4096, ) == 0x0
 00829   572   NtReadFile  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (112, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00830   572   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 00831   572   NtUnlockFile  (112, {0, 0}, {-1, -1}, 572, ... ) == STATUS_RANGE_NOT_LOCKED
 00832   572   NtClose  (112, ... ) == 0x0
 00833   572   NtOpenProcessToken  (-1, 0x8, ...
 00711   436   NtCreateSection  ... 112, ) == 0x0
 00834   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 116, ) }, ... 116, ) == 0x0
 00836   436   NtQueryValueKey  (116,  (116, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   436   NtClose  (116, ...
 00833   572   NtOpenProcessToken  ... 120, ) == 0x0
 00838   572   NtQueryInformationToken  (120, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00839   572   NtClose  (120, ... ) == 0x0
 00840   572   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM.INI"}, 0x0, 128, 7, 3, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00841   572   NtLockFile  (120, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 1, ... {status=0x0, info=-2142329745}, ) == 0x0
 00842   572   NtQueryInformationFile  (120, 1348400, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00843   572   NtAllocateVirtualMemory  (-1, 0, 0, 1048811, 8192, 4, ...
 00837   436   NtClose  ... ) == 0x0
 00844   436   NtQueryVolumeInformationFile  (108, 1240364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00845   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238348, ... ) }, 1238348, ... ) == 0x0
 00846   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00847   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 124, ) == 0x0
 00848   436   NtClose  (116, ... ) == 0x0
 00849   436   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 00843   572   NtAllocateVirtualMemory  ... 12713984, 1052672, ) == 0x0
 00850   572   NtAllocateVirtualMemory  (-1, 12713984, 0, 235, 4096, 4, ... 12713984, 4096, ) == 0x0
 00851   572   NtReadFile  (120, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231},  (120, 0, 0, 0, 231, 0x0, 2012046884, ... {status=0x0, info=231}, "; for 16-bit app support\15\12\15\12[drivers]\15\12wave=mmdrv.dll\15\12timer=timer.drv\15\12\15\12[mci]\15\12[driver32]\15\12[386enh]\15\12woafont=dosapp.FON\15\12EGA80WOA.FON=EGA80WOA.FON\15\12EGA40WOA.FON=EGA40WOA.FON\15\12CGA80WOA.FON=CGA80WOA.FON\15\12CGA40WOA.FON=CGA40WOA.FON\15\12", ) , ) == 0x0
 00852   572   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "[MCIDRV_VER]\15\12DEVICE=27859onxyom52469\15\12", 39, {231, 0}, 2012046884, ... {status=0x0, info=39}, ) , 39, {231, 0}, 2012046884, ... {status=0x0, info=39}, ) == 0x0
 00853   572   NtSetInformationFile  (120, 11664552, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00849   436   NtMapViewOfSection  ... (0xd30000), 0x0, 106496, ) == 0x0
 00854   436   NtClose  (124, ... ) == 0x0
 00855   436   NtUnmapViewOfSection  (-1, 0xd30000, ... ) == 0x0
 00856   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238664, ... ) }, 1238664, ... ) == 0x0
 00857   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00858   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 116, ) == 0x0
 00859   436   NtQuerySection  (116, Image, 48, ...
 00860   572   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 00861   572   NtUnlockFile  (120, {0, 0}, {-1, -1}, 572, ... ) == STATUS_RANGE_NOT_LOCKED
 00862   572   NtClose  (120, ... ) == 0x0
 00863   572   NtDelayExecution  (0, {-122880000, -1}, ...
 00859   436   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00864   436   NtClose  (124, ... ) == 0x0
 00865   436   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00866   436   NtClose  (116, ... ) == 0x0
 00867   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00868   436   NtQueryInformationFile  (116, 1238952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00869   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 116, ... 124, ) == 0x0
 00870   436   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc20000), 0x0, 1028096, ) == 0x0
 00871   436   NtQueryInformationFile  (116, 1239048, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00872   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00874   436   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00875   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00876   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1236612, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236612, 616, BothDirectory, 1, "~1.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00877   436   NtClose  (120, ... ) == 0x0
 00878   436   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00879   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00880   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00881   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 00882   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00883   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00884   436   NtClose  (120, ... ) == 0x0
 00885   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00886   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00887   436   NtClose  (120, ... ) == 0x0
 00888   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00889   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00890   436   NtClose  (120, ... ) == 0x0
 00891   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 00892   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1,  (120, 0, 0, 0, 1235360, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00893   436   NtClose  (120, ... ) == 0x0
 00894   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00895   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00896   436   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00897   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00898   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 00899   436   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00900   436   NtClose  (120, ... ) == 0x0
 00901   436   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   436   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   436   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 00904   436   NtClose  (124, ... ) == 0x0
 00905   436   NtClose  (116, ... ) == 0x0
 00906   436   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00907   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   436   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00909   436   NtOpenProcessToken  (-1, 0xa, ... 116, ) == 0x0
 00910   436   NtQueryInformationToken  (116, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00911   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00913   436   NtQueryValueKey  (124,  (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00914   436   NtQueryValueKey  (124,  (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (124, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00915   436   NtClose  (124, ... ) == 0x0
 00916   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00917   436   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00918   436   NtQueryValueKey  (124,  (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (124, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00919   436   NtClose  (124, ... ) == 0x0
 00920   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 00922   436   NtQueryValueKey  (124,  (124, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   436   NtClose  (124, ... ) == 0x0
 00924   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00925   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00926   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00927   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00928   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00929   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00930   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00931   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00932   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00933   436   NtQueryDefaultLocale  (1, 1239736, ... ) == 0x0
 00934   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 124, ) }, ... 124, ) == 0x0
 00935   436   NtEnumerateKey  (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (124, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00936   436   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 120, ) }, ... 120, ) == 0x0
 00937   436   NtQueryValueKey  (120,  (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (120, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00938   436   NtQueryValueKey  (120,  (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (120, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00939   436   NtClose  (120, ... ) == 0x0
 00940   436   NtEnumerateKey  (124, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00941   436   NtClose  (124, ... ) == 0x0
 00942   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00957   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00958   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00959   436   NtClose  (124, ... ) == 0x0
 00960   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00962   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00963   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00964   436   NtClose  (124, ... ) == 0x0
 00965   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00967   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00968   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00969   436   NtClose  (124, ... ) == 0x0
 00970   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00972   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00973   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00974   436   NtClose  (124, ... ) == 0x0
 00975   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00977   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00978   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00979   436   NtClose  (124, ... ) == 0x0
 00980   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00982   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00983   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00984   436   NtClose  (124, ... ) == 0x0
 00985   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00987   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00988   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00989   436   NtClose  (124, ... ) == 0x0
 00990   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00992   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00993   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00994   436   NtClose  (124, ... ) == 0x0
 00995   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00997   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00998   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00999   436   NtClose  (124, ... ) == 0x0
 01000   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01002   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01003   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01004   436   NtClose  (124, ... ) == 0x0
 01005   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01007   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01008   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01009   436   NtClose  (124, ... ) == 0x0
 01010   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01012   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01013   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01014   436   NtClose  (124, ... ) == 0x0
 01015   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01017   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01018   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01019   436   NtClose  (124, ... ) == 0x0
 01020   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01022   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01023   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01024   436   NtClose  (124, ... ) == 0x0
 01025   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01027   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01028   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01029   436   NtClose  (124, ... ) == 0x0
 01030   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01032   436   NtQueryValueKey  (124,  (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (124, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01033   436   NtClose  (124, ... ) == 0x0
 01034   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01035   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 01036   436   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01037   436   NtClose  (124, ... ) == 0x0
 01038   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   436   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01040   436   NtOpenProcessToken  (-1, 0xa, ... 124, ) == 0x0
 01041   436   NtDuplicateToken  (124, 0xc, {24, 0, 0x0, 0, 1240256, 0x0}, 0, 2, ... 120, ) == 0x0
 01042   436   NtClose  (124, ... ) == 0x0
 01043   436   NtAccessCheck  (1355032, 120, 0x1, 1240384, 1240328, 56, 1240412, ... (0x1), ) == 0x0
 01044   436   NtClose  (120, ... ) == 0x0
 01045   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 01046   436   NtQueryValueKey  (120,  (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (120, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01047   436   NtClose  (120, ... ) == 0x0
 01048   436   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 120, ) }, ... 120, ) == 0x0
 01049   436   NtQuerySymbolicLinkObject  (120, ...  (120, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01050   436   NtClose  (120, ... ) == 0x0
 01051   436   NtQueryInformationFile  (108, 1238716, 528, Name, ... {status=0x0, info=130}, ) == 0x0
 01052   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01053   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01054   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp\~1.tmp.exe"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 01055   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01056   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01057   436   NtClose  (120, ... ) == 0x0
 01058   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 01059   436   NtQueryDirectoryFile  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236756, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 01060   436   NtClose  (120, ... ) == 0x0
 01061   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01062   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01063   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01064   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01065   436   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01066   436   NtClose  (120, ... ) == 0x0
 01067   436   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 120, ) }, ... 120, ) == 0x0
 01068   436   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 01069   436   NtClose  (120, ... ) == 0x0
 01070   436   NtQueryValueKey  (124,  (124, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01071   436   NtQueryValueKey  (124,  (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (124, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01072   436   NtClose  (124, ... ) == 0x0
 01073   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8912896, 4096, ) == 0x0
 01074   436   NtAllocateVirtualMemory  (-1, 8912896, 0, 4096, 4096, 4, ... 8912896, 4096, ) == 0x0
 01075   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 01076   436   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   436   NtClose  (124, ... ) == 0x0
 01078   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   436   NtQueryInformationToken  (116, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01080   436   NtQueryInformationToken  (116, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01081   436   NtClose  (116, ... ) == 0x0
 01082   436   NtCreateProcessEx  (1242992, 2035711, 0, -1, 0, 112, 0, 0, 0, ... ) == 0x0
 01083   436   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=580,ParentPid=432,}, 0x0, ) == 0x0
 01084   436   NtReadVirtualMemory  (116, 0x7ffdf008, 4, ...  (116, 0x7ffdf008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 01085   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\~1.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   436   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 01087   436   NtReadVirtualMemory  (116, 0x9800000, 4096, ...  (116, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 01088   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01089   436   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=580,ParentPid=432,}, 0x0, ) == 0x0
 01090   436   NtAllocateVirtualMemory  (-1, 0, 0, 1772, 4096, 4, ... 12713984, 4096, ) == 0x0
 01091   436   NtAllocateVirtualMemory  (116, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01092   436   NtWriteVirtualMemory  (116, 0x10000,  (116, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01093   436   NtAllocateVirtualMemory  (116, 0, 0, 1772, 4096, 4, ... 131072, 4096, ) == 0x0
 01094   436   NtWriteVirtualMemory  (116, 0x20000,  (116, 0x20000, "\0\20\0\0\354\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0Z\0\\0\264\5\0\0Z\0\\0\20\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0l\6\0\0\36\0 \0\310\6\0\0\0\0\2\0\350\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1772, ... 0x0, ) , 1772, ... 0x0, ) == 0x0
 01095   436   NtWriteVirtualMemory  (116, 0x7ffdf010,  (116, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01096   436   NtWriteVirtualMemory  (116, 0x7ffdf1e8,  (116, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01097   436   NtFreeVirtualMemory  (-1, (0xc20000), 0, 32768, ... (0xc20000), 4096, ) == 0x0
 01098   436   NtAllocateVirtualMemory  (116, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01099   436   NtAllocateVirtualMemory  (116, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01100   436   NtProtectVirtualMemory  (116, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01101   436   NtCreateThread  (0x1f03ff, 0x0, 116, 1241256, 1241976, 1, ... 124, {580, 584}, ) == 0x0
 01102   436   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1332200, 1243076}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1332200, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367ww\0\0\0|\0\0\0D\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 432, 436, 1522, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wt\0\0\0|\0\0\0D\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 432, 436, 1522, 0}  (24, {168, 196, new_msg, 0, 1313016, 1310720, 1332200, 1243076} "\0\0\0\0\0\0\1\0\2$\370w U\367ww\0\0\0|\0\0\0D\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 432, 436, 1522, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367wt\0\0\0|\0\0\0D\2\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01103   436   NtResumeThread  (124, ... 1, ) == 0x0
 01104   436   NtClose  (108, ... ) == 0x0
 01105   436   NtClose  (112, ... ) == 0x0
 01106   436   NtQueryInformationProcess  (116, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=580,ParentPid=432,}, 0x0, ) == 0x0
 01107   436   NtUserWaitForInputIdle  (580, 30000, 0, ...
 01108   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 01109   436   NtClose  (112, ... ) == 0x0
 00667   588   NtDelayExecution  ... ) == 0x0
 01110   588   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 12713984, 65536, ) == 0x0
 01111   588   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01112   588   NtCreateSection  (0xf0007, 0x0, {12840, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01113   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01114   588   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01115   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 16384, ) == 0x0
 01116   588   NtFreeVirtualMemory  (-1, (0xc20000), 0, 32768, ... (0xc20000), 65536, ) == 0x0
 01117   588   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 01118   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01119   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01120   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01121   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01122   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01123   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01124   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01125   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01126   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01127   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01128   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01129   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01130   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01131   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01132   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01133   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01134   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01135   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01136   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01137   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01138   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01139   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01140   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01141   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01142   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01143   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01144   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01145   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01146   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01147   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01148   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01149   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01150   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01151   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01152   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01153   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01154   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01155   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01156   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01157   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01158   588   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01159   588   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01160   588   NtContinue  (12710568, 0, ...
 01161   588   NtDelayExecution  (0, {-20480000, -1}, ...
 00672   568   NtDelayExecution  ... ) == 0x0
 01162   568   NtMapViewOfSection  (84, -1, (0x0), 0, 0, {0, 0}, 20480, 1, 0, 4, ... (0xc20000), {0, 0}, 20480, ) == 0x0
 01163   568   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01164   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 10614716, ... ) }, 10614716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 10614716, ... ) }, 10614716, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 10614716, ... ) }, 10614716, ... ) == 0x0
 01168   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01169   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 120, ) == 0x0
 01170   568   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01171   568   NtClose  (108, ... ) == 0x0
 01172   568   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 01173   568   NtClose  (120, ... ) == 0x0
 01174   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 10613912, ... ) }, 10613912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 10613912, ... ) }, 10613912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 10613912, ... ) }, 10613912, ... ) == 0x0
 01178   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 01179   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 108, ) == 0x0
 01180   568   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01181   568   NtClose  (120, ... ) == 0x0
 01182   568   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 01183   568   NtClose  (108, ... ) == 0x0
 01184   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 10613108, ... ) }, 10613108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 10613108, ... ) }, 10613108, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 10613108, ... ) }, 10613108, ... ) == 0x0
 01188   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 01189   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 120, ) == 0x0
 01190   568   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01191   568   NtClose  (108, ... ) == 0x0
 01192   568   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 01193   568   NtClose  (120, ... ) == 0x0
 01194   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 120, ) }, ... 120, ) == 0x0
 01195   568   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01196   568   NtClose  (120, ... ) == 0x0
 01197   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 120, ) }, ... 120, ) == 0x0
 01198   568   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01199   568   NtClose  (120, ... ) == 0x0
 01200   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 120, ) }, ... 120, ) == 0x0
 01201   568   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 01202   568   NtClose  (120, ... ) == 0x0
 01203   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   568   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01205   568   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01206   568   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 10614848, 0,  (0x1f0003, {24, 52, 0x80, 10614848, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01207   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 120, ) }, ... 120, ) == 0x0
 01208   568   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01209   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01210   568   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 12713984, 262144, ) == 0x0
 01211   568   NtAllocateVirtualMemory  (-1, 12713984, 0, 4096, 4096, 4, ... 12713984, 4096, ) == 0x0
 01212   568   NtAllocateVirtualMemory  (-1, 12718080, 0, 8192, 4096, 4, ... 12718080, 8192, ) == 0x0
 01213   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01214   568   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12976128, 1048576, ) == 0x0
 01215   568   NtAllocateVirtualMemory  (-1, 12976128, 0, 1048576, 4096, 4, ... 12976128, 1048576, ) == 0x0
 01216   568   NtCreateMutant  (0x1f0001, 0x0, 0, ... 108, ) == 0x0
 01217   568   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 128, ) == 0x0
 01218   568   NtCreateMutant  (0x1f0001, 0x0, 0, ... 132, ) == 0x0
 01219   568   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 136, ) == 0x0
 01220   568   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 140, ) == 0x0
 01221   568   NtSetEvent  (140, ... 0x0, ) == 0x0
 01222   568   NtDelayExecution  (0, {-40960000, -1}, ...
 01161   588   NtDelayExecution  ... ) == 0x0
 01223   588   NtContinue  (12710568, 0, ...
 01224   588   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01225   588   NtContinue  (12710568, 0, ...
 01226   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01222   568   NtDelayExecution  ... ) == 0x0
 01227   568   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01228   568   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 10616560,  (0x40100080, {24, 0, 0x40, 0, 10616560, "\??\C:\KUKU300a"}, 0x0, 32, 2, 5, 96, 0, 0, ... }, 0x0, 32, 2, 5, 96, 0, 0, ...
 01229   568   NtClose  (-2147481980, ... ) == 0x0
 01228   568   NtCreateFile  ... 144, {status=0x0, info=2}, ) == 0x0
 01230   568   NtClose  (144, ... ) == 0x0
 01231   568   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\KUKU300a"}, 7, 2113600, ... 144, {status=0x0, info=1}, ) }, 7, 2113600, ... 144, {status=0x0, info=1}, ) == 0x0
 01232   568   NtQueryInformationFile  (144, 10616624, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01233   568   NtSetInformationFile  (144, 10616675, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01234   568   NtClose  (144, ... ) == 0x0
 01235   568   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01236   568   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01237   568   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) , Data=" (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="MSMSGS", Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0e\0s\0s\0e\0n\0g\0e\0r\0\\0m\0s\0m\0s\0g\0s\0.\0e\0x\0e\0"\0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) \0 \0/\0b\0a\0c\0k\0g\0r\0o\0u\0n\0d\0\0\0"}, 136, ) == 0x0
 01238   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 148, ) }, ... 148, ) == 0x0
 01239   568   NtOpenKey  (0x20019, {24, 148, 0x40, 0, 0,  (0x20019, {24, 148, 0x40, 0, 0, "ActiveComputerName"}, ... 152, ) }, ... 152, ) == 0x0
 01240   568   NtQueryValueKey  (152,  (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (152, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01241   568   NtClose  (152, ... ) == 0x0
 01242   568   NtClose  (148, ... ) == 0x0
 01243   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01244   568   NtQueryValueKey  (148,  (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (148, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01245   568   NtClose  (148, ... ) == 0x0
 01246   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01248   568   NtQueryValueKey  (148,  (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (148, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01249   568   NtClose  (148, ... ) == 0x0
 01250   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01251   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 148, ) }, ... 148, ) == 0x0
 01253   568   NtQueryValueKey  (148,  (148, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   568   NtClose  (148, ... ) == 0x0
 01255   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01257   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01258   568   NtQuerySystemTime  (... {851823532, 29876108}, ) == 0x0
 01259   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01260   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   568   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01262   568   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01263   568   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01264   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01265   568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01266   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 168, ) }, ... 168, ) == 0x0
 01267   568   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "ActiveComputerName"}, ... 172, ) }, ... 172, ) == 0x0
 01268   568   NtQueryValueKey  (172,  (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (172, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01269   568   NtClose  (172, ... ) == 0x0
 01270   568   NtClose  (168, ... ) == 0x0
 01271   568   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 168, ) == 0x0
 01272   568   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 172, ) == 0x0
 01273   568   NtDuplicateObject  (-1, 168, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01274   568   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01275   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01276   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01277   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01278   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01279   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10613660,  (0xc0100080, {24, 0, 0x40, 0, 10613660, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01280   568   NtSetInformationFile  (184, 10613716, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01281   568   NtSetInformationFile  (184, 10613708, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01282   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01283   568   NtWriteFile  (184, 161, 0, 0,  (184, 161, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01284   568   NtReadFile  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (184, 161, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\203$\0\0\15\0\PIPE\SfcApi\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01285   568   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\203$\0\0\15\0\PIPE\SfcApi\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=68},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\1\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0M\0E\0S\0S\0E\0N\0G\0E\0R\0\\0M\0S\0M\0S\0G\0S\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\203$\0\0\15\0\PIPE\SfcApi\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01286   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01287   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01288   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01289   568   NtClose  (188, ... ) == 0x0
 01290   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01291   568   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01292   568   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01293   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01294   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01295   568   NtClose  (188, ... ) == 0x0
 01296   568   NtDelayExecution  (0, {-10240000, -1}, ...
 01226   588   NtDelayExecution  ... ) == 0x0
 01297   588   NtContinue  (12710568, 0, ...
 01298   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01296   568   NtDelayExecution  ... ) == 0x0
 01299   568   NtEnumerateValueKey  (144, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01300   568   NtClose  (144, ... ) == 0x0
 01301   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01302   568   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01303   568   NtEnumerateValueKey  (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) , Data= (144, 0, Full, 220, ... TitleIdx=0, Type=1, Name="VMware Tools", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0T\0r\0a\0y\0.\0e\0x\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01304   568   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\2\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0T\0R\0A\0Y\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01305   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01306   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01307   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01308   568   NtClose  (188, ... ) == 0x0
 01309   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01310   568   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01311   568   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01312   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01313   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01314   568   NtClose  (188, ... ) == 0x0
 01315   568   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01316   568   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01317   568   NtEnumerateValueKey  (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) , Data= (144, 1, Full, 220, ... TitleIdx=0, Type=1, Name="VMware User Process", Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0V\0M\0w\0a\0r\0e\0\\0V\0M\0w\0a\0r\0e\0 \0T\0o\0o\0l\0s\0\\0V\0M\0w\0a\0r\0e\0U\0s\0e\0r\0.\0e\0x\0e\0\0\0"}, 164, ) }, 164, ) == 0x0
 01318   568   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 144, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\220\0\0\0\3\0\0\0x\0\0\0\0\0\1\0p\342\0\204\0\0\0\0\0\0\04\0\0\0C\0:\0\\0P\0R\0O\0G\0R\0A\0M\0 \0F\0I\0L\0E\0S\0\\0V\0M\0W\0A\0R\0E\0\\0V\0M\0W\0A\0R\0E\0 \0T\0O\0O\0L\0S\0\\0V\0M\0W\0A\0R\0E\0U\0S\0E\0R\0.\0E\0X\0E\0\0\0", 144, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01319   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01320   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01321   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01322   568   NtClose  (188, ... ) == 0x0
 01323   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01324   568   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01325   568   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01326   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01327   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01328   568   NtClose  (188, ... ) == 0x0
 01329   568   NtDelayExecution  (0, {-10240000, -1}, ...
 01298   588   NtDelayExecution  ... ) == 0x0
 01330   588   NtContinue  (12710568, 0, ...
 01331   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01329   568   NtDelayExecution  ... ) == 0x0
 01332   568   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0m\0c\0y\0k\0w\0i\0b\0d\0p\0f\0o\0o\0.\0e\0x\0e\0\0\0"}, 104, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0m\0c\0y\0k\0w\0i\0b\0d\0p\0f\0o\0o\0.\0e\0x\0e\0\0\0"}, 104, ) }, 104, ) == 0x0
 01333   568   NtEnumerateValueKey  (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0m\0c\0y\0k\0w\0i\0b\0d\0p\0f\0o\0o\0.\0e\0x\0e\0\0\0"}, 104, ) , Data= (144, 2, Full, 220, ... TitleIdx=0, Type=1, Name="aMNL", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0o\0m\0c\0y\0k\0w\0i\0b\0d\0p\0f\0o\0o\0.\0e\0x\0e\0\0\0"}, 104, ) }, 104, ) == 0x0
 01334   568   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\4\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0O\0M\0C\0Y\0K\0W\0I\0B\0D\0P\0F\0O\0O\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 116, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\4\0\0\0\\0\0\0\0\0\1\0p\342\0\20&\0\0\0\0\0\0\0&\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0Y\0S\0T\0E\0M\03\02\0\\0O\0M\0C\0Y\0K\0W\0I\0B\0D\0P\0F\0O\0O\0.\0E\0X\0E\0\0\0", 116, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01335   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\OMCYKWIBDPFOO.EXE"}, 10615728, ... ) }, 10615728, ... ) == 0x0
 01336   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\OMCYKWIBDPFOO.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01337   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01338   568   NtClose  (188, ... ) == 0x0
 01339   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 10615708,  (0xc0100080, {24, 0, 0x40, 0, 10615708, "\??\C:\WINDOWS\SYSTEM32\OMCYKWIBDPFOO.EXE"}, 0x0, 128, 0, 1, 96, 0, 0, ... ) }, 0x0, 128, 0, 1, 96, 0, 0, ... ) == STATUS_SHARING_VIOLATION
 01340   568   NtQueryInformationFile  (-1, 10615760, 24, Standard, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01341   568   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 01342   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\OMCYKWIBDPFOO.EXE"}, 7, 2113568, ... 188, {status=0x0, info=1}, ) }, 7, 2113568, ... 188, {status=0x0, info=1}, ) == 0x0
 01343   568   NtSetInformationFile  (188, 10615704, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01344   568   NtClose  (188, ... ) == 0x0
 01345   568   NtDelayExecution  (0, {-10240000, -1}, ...
 00863   572   NtDelayExecution  ... ) == 0x0
 01346   572   NtOpenKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01347   572   NtSetValueKey  (188,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 0, 4,  (188, "GlobalUserOffline", 0, 4, "\0\0\0\0", 4, ... , 4, ...
 01348   572   NtSetInformationFile  (-2147482732, -134441164, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01349   572   NtSetInformationFile  (-2147482732, -134441200, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01350   572   NtSetInformationFile  (-2147482732, -134441256, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01351   572   NtSetInformationFile  (-2147482732, -134441564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01347   572   NtSetValueKey  ... ) == 0x0
 01352   572   NtClose  (188, ... ) == 0x0
 01353   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 188, ) }, ... 188, ) == 0x0
 01354   572   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01355   572   NtClose  (188, ... ) == 0x0
 01356   572   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01357   572   NtCreateKey  (0xf003f, {24, 64, 0x40, 0, 0,  (0xf003f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 188, 2, ) }, 0, 0x0, 0, ... 188, 2, ) == 0x0
 01358   572   NtQueryDefaultUILanguage  (11661652, ...
 01359   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01360   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482040, ) == 0x0
 01361   572   NtQueryInformationToken  (-2147482040, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01362   572   NtClose  (-2147482040, ... ) == 0x0
 01363   572   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482040, ) }, ... -2147482040, ) == 0x0
 01364   572   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365   572   NtOpenKey  (0x80000000, {24, -2147482040, 0x640, 0, 0,  (0x80000000, {24, -2147482040, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 01366   572   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   572   NtClose  (-2147482036, ... ) == 0x0
 01368   572   NtClose  (-2147482040, ... ) == 0x0
 01358   572   NtQueryDefaultUILanguage  ... ) == 0x0
 01369   572   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 192, {status=0x0, info=1}, ) }, 1, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01371   572   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01372   572   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd60000), 0x0, 593920, ) == 0x0
 01373   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   572   NtQueryDefaultLocale  (1, 11659688, ... ) == 0x0
 01375   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   572   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 11660544, 1, 96, 0}  (24, {128, 156, new_msg, 0, 11660544, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" ... {128, 156, reply, 0, 432, 572, 2036, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 572, 2036, 0}  (24, {128, 156, new_msg, 0, 11660544, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" ... {128, 156, reply, 0, 432, 572, 2036, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\261\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\300\0\0\0\377\377\377\377\0\0\0\0P\275\335\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\364\261\0\0\0\0\0" )  ) == 0x0
 01377   572   NtClose  (192, ... ) == 0x0
 01378   572   NtClose  (196, ... ) == 0x0
 01379   572   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 01380   572   NtUnmapViewOfSection  (-1, 0xb1f400, ... ) == STATUS_NOT_MAPPED_VIEW
 01381   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01382   572   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01384   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01385   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 11658228, ... ) }, 11658228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01387   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01388   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01389   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 11658820, ... ) }, 11658820, ... ) == 0x0
 01390   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 196, {status=0x0, info=1}, ) }, 3, 33, ... 196, {status=0x0, info=1}, ) == 0x0
 01391   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01392   572   NtCreateKey  (0x2001f, {24, 64, 0x40, 0, 0,  (0x2001f, {24, 64, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 192, 2, ) }, 0, 0x0, 0, ... 192, 2, ) == 0x0
 01393   572   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 4096, 4, ... 14024704, 262144, ) == 0x0
 01394   572   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01395   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11661512, ... ) }, 11661512, ... ) == 0x0
 01396   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01397   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ... 204, ) == 0x0
 01398   572   NtClose  (200, ... ) == 0x0
 01399   572   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xda0000), 0x0, 229376, ) == 0x0
 01400   572   NtClose  (204, ... ) == 0x0
 01401   572   NtUnmapViewOfSection  (-1, 0xda0000, ... ) == 0x0
 01402   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11661828, ... ) }, 11661828, ... ) == 0x0
 01403   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01404   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 200, ) == 0x0
 01405   572   NtQuerySection  (200, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01406   572   NtClose  (204, ... ) == 0x0
 01407   572   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01408   572   NtClose  (200, ... ) == 0x0
 01409   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01410   572   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01411   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01412   572   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01413   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 11661628, ... ) }, 11661628, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   572   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 11661628, ... ) }, 11661628, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 11661628, ... ) }, 11661628, ... ) == 0x0
 01417   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01418   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ... 208, ) == 0x0
 01419   572   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01420   572   NtClose  (204, ... ) == 0x0
 01421   572   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01422   572   NtClose  (208, ... ) == 0x0
 01423   572   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01424   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01425   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   572   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   572   NtQueryValueKey  (204,  (204, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   572   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   572   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   572   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01431   572   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   572   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   572   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   572   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   572   NtQueryValueKey  (204,  (204, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   572   NtQueryValueKey  (204,  (204, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   572   NtQueryValueKey  (204,  (204, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   572   NtQueryValueKey  (204,  (204, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   572   NtQueryValueKey  (204,  (204, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   572   NtQueryValueKey  (204,  (204, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   572   NtQueryValueKey  (204,  (204, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   572   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   572   NtQueryValueKey  (204,  (204, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   572   NtQueryValueKey  (204,  (204, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   572   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   572   NtQueryValueKey  (204,  (204, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   572   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   572   NtQueryValueKey  (204,  (204, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   572   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   572   NtQueryValueKey  (204,  (204, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   572   NtQueryValueKey  (208,  (208, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   572   NtQueryValueKey  (204,  (204, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   572   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   572   NtQueryValueKey  (204,  (204, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   572   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   572   NtQueryValueKey  (204,  (204, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   572   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01458   572   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   572   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   572   NtQueryValueKey  (204,  (204, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   572   NtQueryValueKey  (204,  (204, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   572   NtQueryValueKey  (204,  (204, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   572   NtQueryValueKey  (204,  (204, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   572   NtQueryValueKey  (204,  (204, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   572   NtQueryValueKey  (204,  (204, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   572   NtQueryValueKey  (204,  (204, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   572   NtQueryValueKey  (204,  (204, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   572   NtQueryValueKey  (204,  (204, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   572   NtQueryValueKey  (204,  (204, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   572   NtQueryValueKey  (204,  (204, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   572   NtQueryValueKey  (204,  (204, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   572   NtQueryValueKey  (204,  (204, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   572   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 212, ) }, ... 212, ) == 0x0
 01474   572   NtQueryValueKey  (212,  (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01475   572   NtClose  (212, ... ) == 0x0
 01476   572   NtClose  (208, ... ) == 0x0
 01477   572   NtClose  (204, ... ) == 0x0
 01478   572   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01479   572   NtQueryValueKey  (204,  (204, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   572   NtQueryValueKey  (204,  (204, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   572   NtQueryValueKey  (204,  (204, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   572   NtClose  (204, ... ) == 0x0
 01483   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01484   572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 208, ) == 0x0
 01485   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01486   572   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11662104, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11662104, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01487   572   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127212, 1310720, 11661868, 2012750850}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11661868, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0@(\25\0\270(\25\0\0\0\0\0\260(\25\0\330(\25\0H*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\3\24\0\0\0\0\0\13\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 572, 2038, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0@(\25\0\270(\25\0\0\0\0\0\260(\25\0\330(\25\0H*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\3\24\0\0\0\0\0\13\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 432, 572, 2038, 0}  (216, {128, 152, new_msg, 0, 127212, 1310720, 11661868, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0@(\25\0\270(\25\0\0\0\0\0\260(\25\0\330(\25\0H*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\3\24\0\0\0\0\0\13\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 572, 2038, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0@(\25\0\270(\25\0\0\0\0\0\260(\25\0\330(\25\0H*\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\3\24\0\0\0\0\0\13\0\0\0\5\0\0\0" )  ) == 0x0
 01488   572   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 0, 0, 0, 0, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 432, 572, 2039, 0} "\2\212T\200\1\0\30\201\214+\362\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200p\33\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 432, 572, 2039, 0}  (216, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 432, 572, 2039, 0} "\2\212T\200\1\0\30\201\214+\362\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200p\33\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01489   572   NtClose  (212, ... ) == 0x0
 01490   572   NtClose  (216, ... ) == 0x0
 01491   572   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01492   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01493   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   572   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01495   572   NtQueryValueKey  (216,  (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01496   572   NtClose  (216, ... ) == 0x0
 01497   572   NtClose  (212, ... ) == 0x0
 01498   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01499   572   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11661968, 112, ... 216, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11661968, 112, ... 216, 0x0, 0x0, 0x0, 112, ) == 0x0
 01500   572   NtRequestWaitReplyPort  (216, {128, 152, new_msg, 0, 127076, 1310720, 11661732, 2012750850}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11661732, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@(\25\0\340(\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\0:\25\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 572, 2042, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@(\25\0\340(\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\0:\25\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 432, 572, 2042, 0}  (216, {128, 152, new_msg, 0, 127076, 1310720, 11661732, 2012750850} "\0\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@(\25\0\340(\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\0:\25\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 572, 2042, 0} "\7\370\261\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0@(\25\0\340(\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\261\0\220\363\261\0x\1\24\0\0:\25\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01501   572   NtRequestWaitReplyPort  (216, {44, 68, new_msg, 0, 432, 572, 2039, 0}  (216, {44, 68, new_msg, 0, 432, 572, 2039, 0} "\1\212\0\0A\2\4\0\214+\362\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 432, 572, 2043, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 432, 572, 2043, 0}  (216, {44, 68, new_msg, 0, 432, 572, 2039, 0} "\1\212\0\0A\2\4\0\214+\362\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 432, 572, 2043, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01502   572   NtRequestWaitReplyPort  (216, {64, 88, new_msg, 56, 0, 1, 0, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\261\0@\0\314w\330'\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\330'\25\0\1\0\0\0\0:\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 432, 572, 2044, 0} "\10\364\261\0@\0\314w\330'\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\330'\25\0\1\0\0\0\0:\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 432, 572, 2044, 0}  (216, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\261\0@\0\314w\330'\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\330'\25\0\1\0\0\0\0:\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 432, 572, 2044, 0} "\10\364\261\0@\0\314w\330'\25\0X\364\261\0\300\364\261\0\0\267\362v\300\364\261\0\330'\25\0\1\0\0\0\0:\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01503   572   NtClose  (212, ... ) == 0x0
 01504   572   NtClose  (216, ... ) == 0x0
 01505   572   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01506   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01507   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   572   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01509   572   NtQueryValueKey  (216,  (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01510   572   NtClose  (216, ... ) == 0x0
 01511   572   NtClose  (212, ... ) == 0x0
 01512   572   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01513   572   NtQueryValueKey  (212,  (212, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   572   NtClose  (212, ... ) == 0x0
 01515   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11661512, ... ) }, 11661512, ... ) == 0x0
 01516   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01517   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 212, ... 216, ) == 0x0
 01518   572   NtClose  (212, ... ) == 0x0
 01519   572   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xda0000), 0x0, 16384, ) == 0x0
 01520   572   NtClose  (216, ... ) == 0x0
 01521   572   NtUnmapViewOfSection  (-1, 0xda0000, ... ) == 0x0
 01522   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 11661828, ... ) }, 11661828, ... ) == 0x0
 01523   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 216, {status=0x0, info=1}, ) }, 5, 96, ... 216, {status=0x0, info=1}, ) == 0x0
 01524   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 212, ) == 0x0
 01525   572   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01526   572   NtClose  (216, ... ) == 0x0
 01527   572   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01528   572   NtClose  (212, ... ) == 0x0
 01529   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 212, ) }, ... 212, ) == 0x0
 01530   572   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01531   572   NtClose  (212, ... ) == 0x0
 01532   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01533   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 216, ) }, ... 216, ) == 0x0
 01534   572   NtQueryValueKey  (216,  (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01535   572   NtClose  (216, ... ) == 0x0
 01536   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 11661512, ... ) }, 11661512, ... ) == 0x0
 01537   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01538   572   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 14286848, 65536, ) == 0x0
 01539   572   NtAllocateVirtualMemory  (-1, 14286848, 0, 4096, 4096, 4, ... 14286848, 4096, ) == 0x0
 01540   572   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01541   572   NtAllocateVirtualMemory  (-1, 14290944, 0, 8192, 4096, 4, ... 14290944, 8192, ) == 0x0
 01542   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01543   572   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 11661788, 112, ... 220, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 11661788, 112, ... 220, 0x0, 0x0, 0x0, 112, ) == 0x0
 01544   572   NtRequestWaitReplyPort  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11661552}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11661552} "\0$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\2308\25\0\4\0\0\0\2308\25\0\20\344\314w\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0 K\25\0\210I\25\0\370J\25\0\0\0\0\0\0\0\0\0\0\0\0\0 K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 432, 572, 2047, 0} "\7$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2308\25\0\377\377\377\377\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0 K\25\0\210I\25\0\370J\25\0\0\0\0\0\0\0\0\0\0\0\0\0 K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 432, 572, 2047, 0}  (220, {128, 152, new_msg, 0, 1310720, 126896, 1310720, 11661552} "\0$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\2308\25\0\4\0\0\0\2308\25\0\20\344\314w\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0 K\25\0\210I\25\0\370J\25\0\0\0\0\0\0\0\0\0\0\0\0\0 K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 432, 572, 2047, 0} "\7$\370w\240\367\261\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2308\25\0\377\377\377\377\2308\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0 K\25\0\210I\25\0\370J\25\0\0\0\0\0\0\0\0\0\0\0\0\0 K\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01545   572   NtRequestWaitReplyPort  (220, {104, 128, new_msg, 0, 432, 572, 2043, 0}  (220, {104, 128, new_msg, 0, 432, 572, 2043, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\334H\25\0\22\0\0\0\0\0\0\0\22\0\0\0w\0w\0w\0.\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 432, 572, 2048, 0} "\2\212T\200\1\0\30\201\214+\362\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 432, 572, 2048, 0}  (220, {104, 128, new_msg, 0, 432, 572, 2043, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\334H\25\0\22\0\0\0\0\0\0\0\22\0\0\0w\0w\0w\0.\0m\0i\0c\0r\0o\0s\0o\0f\0t\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 432, 572, 2048, 0} "\2\212T\200\1\0\30\201\214+\362\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 01546   572   NtClose  (216, ... ) == 0x0
 01547   572   NtClose  (220, ... ) == 0x0
 01548   572   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01549   572   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01550   572   NtQueryValueKey  (220,  (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (220, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01551   572   NtQueryValueKey  (220,  (220, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552   572   NtClose  (220, ... ) == 0x0
 01553   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 11662548, ... ) }, 11662548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   572   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 11662548, ... ) }, 11662548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 11662548, ... ) }, 11662548, ... ) == 0x0
 01557   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01558   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 220, ... 216, ) == 0x0
 01559   572   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01560   572   NtClose  (220, ... ) == 0x0
 01561   572   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01562   572   NtClose  (216, ... ) == 0x0
 01563   572   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 216, {status=0x0, info=0}, ) == 0x0
 01564   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01565   572   NtDeviceIoControlFile  (216, 220, 0x0, 0x0, 0xf14014,  (216, 220, 0x0, 0x0, 0xf14014, "\3\0\0\0www.microsoft.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 01566   572   NtClose  (220, ... ) == 0x0
 01567   572   NtClose  (216, ... ) == 0x0
 01568   572   NtDelayExecution  (0, {1770094592, -2}, ...
 01345   568   NtDelayExecution  ... ) == 0x0
 01569   568   NtEnumerateValueKey  (144, 3, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01570   568   NtClose  (144, ... ) == 0x0
 01571   568   NtDelayExecution  (0, {-10240000, -1}, ...
 01331   588   NtDelayExecution  ... ) == 0x0
 01572   588   NtContinue  (12710568, 0, ...
 01573   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01571   568   NtDelayExecution  ... ) == 0x0
 01574   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 144, {status=0x0, info=1}, ) }, 3, 16417, ... 144, {status=0x0, info=1}, ) == 0x0
 01575   568   NtQueryDirectoryFile  (144, 0, 0, 0, 10615268, 616, BothDirectory, 1,  (144, 0, 0, 0, 10615268, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01576   568   NtAllocateVirtualMemory  (-1, 1396736, 0, 8192, 4096, 4, ... 1396736, 8192, ) == 0x0
 01577   568   NtQueryDirectoryFile  (144, 0, 0, 0, 1395848, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 01578   568   NtDelayExecution  (0, {-10240000, -1}, ... ) == 0x0
 01579   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 216, {status=0x0, info=1}, ) }, 3, 16417, ... 216, {status=0x0, info=1}, ) == 0x0
 01580   568   NtQueryDirectoryFile  (216, 0, 0, 0, 10615208, 616, BothDirectory, 1,  (216, 0, 0, 0, 10615208, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01581   568   NtQueryDirectoryFile  (216, 0, 0, 0, 1399952, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3982}, ) == 0x0
 01582   568   NtDelayExecution  (0, {-10240000, -1}, ...
 01573   588   NtDelayExecution  ... ) == 0x0
 01583   588   NtContinue  (12710568, 0, ...
 01584   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01582   568   NtDelayExecution  ... ) == 0x0
 01585   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\REPAIR\"}, 3, 16417, ... 220, {status=0x0, info=1}, ) }, 3, 16417, ... 220, {status=0x0, info=1}, ) == 0x0
 01586   568   NtQueryDirectoryFile  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1,  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01587   568   NtAllocateVirtualMemory  (-1, 1404928, 0, 8192, 4096, 4, ... 1404928, 8192, ) == 0x0
 01588   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1240}, ) == 0x0
 01589   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01590   568   NtClose  (220, ... ) == 0x0
 01591   568   NtDelayExecution  (0, {-5120000, -1}, ... ) == 0x0
 01592   568   NtDelayExecution  (0, {-10240000, -1}, ...
 01584   588   NtDelayExecution  ... ) == 0x0
 01593   588   NtContinue  (12710568, 0, ...
 01594   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01592   568   NtDelayExecution  ... ) == 0x0
 01595   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\INF\"}, 3, 16417, ... 220, {status=0x0, info=1}, ) }, 3, 16417, ... 220, {status=0x0, info=1}, ) == 0x0
 01596   568   NtQueryDirectoryFile  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1,  (220, 0, 0, 0, 10615148, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01597   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3990}, ) == 0x0
 01598   568   NtFsControlFile  (184, 161, 0x0, 0x0, 0x11c017,  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , 96, 1024, ... {status=0x103, info=28},  (184, 161, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\5\0\0\0H\0\0\0\0\0\1\0p\342\0\20\34\0\0\0\0\0\0\0\34\0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0I\0N\0F\0\\0u\0n\0r\0e\0g\0m\0p\02\0.\0e\0x\0e\0\0\0", 96, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\2\0\0\0", ) , ) == 0x103
 01599   568   NtDelayExecution  (0, {-20480000, -1}, ...
 01594   588   NtDelayExecution  ... ) == 0x0
 01600   588   NtContinue  (12710568, 0, ...
 01601   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01599   568   NtDelayExecution  ... ) == 0x0
 01602   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 01603   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3986}, ) == 0x0
 01604   568   NtDelayExecution  (0, {-81920000, -1}, ...
 01601   588   NtDelayExecution  ... ) == 0x0
 01605   588   NtContinue  (12710568, 0, ...
 01606   588   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01607   588   NtContinue  (12710568, 0, ...
 01608   588   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01609   588   NtContinue  (12710568, 0, ...
 01610   588   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01611   588   NtContinue  (12710568, 0, ...
 01612   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01604   568   NtDelayExecution  ... ) == 0x0
 01613   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4044}, ) == 0x0
 01614   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4078}, ) == 0x0
 01615   568   NtQueryDirectoryFile  (220, 0, 0, 0, 1404112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4066}, ) == 0x0
 01616   568   NtDelayExecution  (0, {-81920000, -1}, ...
 01612   588   NtDelayExecution  ... ) == 0x0
 01617   588   NtContinue  (12710568, 0, ...
 01618   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01107   436   NtUserWaitForInputIdle  ... ) == 0x102
 01619   436   NtClose  (116, ... ) == 0x0
 01620   436   NtClose  (124, ... ) == 0x0
 01621   436   NtAllocateVirtualMemory  (-1, 1413120, 0, 122880, 4096, 4, ... 1413120, 122880, ) == 0x0
 01622   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244452,  (0x80100080, {24, 0, 0x40, 0, 1244452, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 01623   436   NtSetInformationFile  (124, 1244544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01624   436   NtReadFile  (124, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (124, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", ) , ) == 0x0
 01625   436   NtSetInformationFile  (124, 1244544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01626   436   NtReadFile  (124, 0, 0, 0, 248, 0x0, 0, ... {status=0x0, info=248},  (124, 0, 0, 0, 248, 0x0, 0, ... {status=0x0, info=248}, "PE\0\0L\1\10\0\31^B*\0\0\0\0\0\0\0\0\340\0\216\201\13\1\2\31\0:\0\0\0\362\1\0\0\0\0\0<\222\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\352\5\0\0\0\260\0\0<\342\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\364\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01627   436   NtQueryInformationFile  (124, 1244544, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01628   436   NtSetInformationFile  (124, 1244544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01629   436   NtReadFile  (124, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (124, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".rsrc\0\0\0\0\360\2\0\0\260\0\0\0\344\2\0\0L\0\0\0\0\0\0\21\0\0\0\0\0\0\0 \0\0\340", ) , ) == 0x0
 01630   436   NtQueryInformationFile  (124, 1244504, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01631   436   NtClose  (124, ... ) == 0x0
 01632   436   NtAllocateVirtualMemory  (-1, 1536000, 0, 122880, 4096, 4, ... 1536000, 122880, ) == 0x0
 01633   436   NtFreeVirtualMemory  (-1, (0x158000), 118784, 16384, ... (0x158000), 118784, ) == 0x0
 01634   436   NtAllocateVirtualMemory  (-1, 1658880, 0, 122880, 4096, 4, ... 1658880, 122880, ) == 0x0
 01635   436   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01636   436   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 01637   436   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 124, ... 116, ) == 0x0
 01638   436   NtQueryVolumeInformationFile  (124, 1240984, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01639   436   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 224, ) }, ... 224, ) == 0x0
 01640   436   NtWaitForSingleObject  (224, 0, {-1000000, -1}, ... ) == 0x0
 01641   436   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 228, ) }, ... 228, ) == 0x0
 01642   436   NtMapViewOfSection  (228, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xdb0000), {0, 0}, 57344, ) == 0x0
 01643   436   NtQueryInformationFile  (124, 1240948, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01644   436   NtQueryInformationFile  (124, 1240988, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01645   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01646   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 232, ) == 0x0
 01647   436   NtQueryInformationToken  (232, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01648   436   NtClose  (232, ... ) == 0x0
 01649   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   436   NtReleaseMutant  (224, ... 0x0, ) == 0x0
 01651   436   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01652   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   436   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01654   436   NtOpenProcessToken  (-1, 0xa, ... 232, ) == 0x0
 01655   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 236, ) }, ... 236, ) == 0x0
 01656   436   NtQueryValueKey  (236,  (236, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01657   436   NtQueryValueKey  (236,  (236, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (236, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01658   436   NtClose  (236, ... ) == 0x0
 01659   436   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 236, ) }, ... 236, ) == 0x0
 01660   436   NtQuerySymbolicLinkObject  (236, ...  (236, ... "\Device\WinDfs\U:00000000000091fd", 66, ) , 66, ) == 0x0
 01661   436   NtClose  (236, ... ) == 0x0
 01662   436   NtQueryInformationFile  (124, 1239336, 528, Name, ... {status=0x0, info=72}, ) == 0x0
 01663   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01664   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01665   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\packed.exe"}, 1238016, ... ) }, 1238016, ... ) == 0x0
 01666   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 01667   436   NtQueryDirectoryFile  (236, 0, 0, 0, 1237376, 616, BothDirectory, 1,  (236, 0, 0, 0, 1237376, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=104}, ) , 0, ... {status=0x0, info=104}, ) == 0x0
 01668   436   NtClose  (236, ... ) == 0x0
 01669   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\UNC\missouri\binaries\work\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 01670   436   NtQueryDirectoryFile  (236, 0, 0, 0, 1237376, 616, BothDirectory, 1,  (236, 0, 0, 0, 1237376, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01671   436   NtClose  (236, ... ) == 0x0
 01672   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01673   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01674   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 236, ) }, ... 236, ) == 0x0
 01675   436   NtQueryValueKey  (236,  (236, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01676   436   NtClose  (236, ... ) == 0x0
 01677   436   NtQueryInformationToken  (232, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01678   436   NtQueryInformationToken  (232, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01679   436   NtClose  (232, ... ) == 0x0
 01680   436   NtCreateProcessEx  (1243612, 2035711, 0, -1, 0, 116, 0, 0, 0, ... ) == 0x0
 01681   436   NtQueryInformationProcess  (232, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1992,ParentPid=432,}, 0x0, ) == 0x0
 01682   436   NtReadVirtualMemory  (232, 0x7ffdf008, 4, ...  (232, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01683   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   436   NtReadVirtualMemory  (232, 0x400000, 4096, ...  (232, 0x400000, 4096, ... "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\10\0\31^B*\0\0\0\0\0\0\0\0\340\0\216\201\13\1\2\31\0:\0\0\0\362\1\0\0\0\0\0<\222\2\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\352\5\0\0\0\260\0\0<\342\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\364\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01685   436   NtReadVirtualMemory  (232, 0x40b000, 256, ...  (232, 0x40b000, 256, ... "\0\0\0\0\0\0\0\0\4\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\12\0\0\0H\0\0\200\16\0\0\0x\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\2\0\1\0\0\0\220\0\0\200\2\0\0\0\250\0\0\200\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\250\1\0\200\300\0\0\200\266\1\0\200\330\0\0\200\304\1\0\200\360\0\0\200\334\1\0\200\10\1\0\200\0\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\344\1\0\200 \1\0\200\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\35\4\0\08\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\35\4\0\0H\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\0\0\0\0X\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0\0\0\0\0h\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\1\0", 256, ) , 256, ) == 0x0
 01686   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01687   436   NtQueryInformationProcess  (232, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=1992,ParentPid=432,}, 0x0, ) == 0x0
 01688   436   NtAllocateVirtualMemory  (-1, 0, 0, 1568, 4096, 4, ... 14417920, 4096, ) == 0x0
 01689   436   NtAllocateVirtualMemory  (232, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01690   436   NtWriteVirtualMemory  (232, 0x10000,  (232, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01691   436   NtAllocateVirtualMemory  (232, 0, 0, 1568, 4096, 4, ... 131072, 4096, ) == 0x0
 01692   436   NtWriteVirtualMemory  (232, 0x20000,  (232, 0x20000, "\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\344\0\346\0\230\4\0\0$\0&\0\200\5\0\0(\0*\0\250\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\324\5\0\0\36\0 \0\374\5\0\0\0\0\2\0\34\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1568, ... 0x0, ) , 1568, ... 0x0, ) == 0x0
 01693   436   NtWriteVirtualMemory  (232, 0x7ffdf010,  (232, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01694   436   NtWriteVirtualMemory  (232, 0x7ffdf1e8,  (232, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01695   436   NtFreeVirtualMemory  (-1, (0xdc0000), 0, 32768, ... (0xdc0000), 4096, ) == 0x0
 01696   436   NtAllocateVirtualMemory  (232, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01697   436   NtAllocateVirtualMemory  (232, 1224704, 0, 20480, 4096, 4, ... 1224704, 20480, ) == 0x0
 01698   436   NtProtectVirtualMemory  (232, (0x12b000), 4096, 260, ... (0x12b000), 4096, 4, ) == 0x0
 01699   436   NtCreateThread  (0x1f03ff, 0x0, 232, 1241876, 1242596, 1, ... 236, {1992, 1960}, ) == 0x0
 01700   436   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1394960, 1243696}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1394960, 1243696} "\0\0\0\0\0\0\1\0\2$\370w U\367w\353\0\0\0\354\0\0\0\310\7\0\0\250\7\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0D\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 432, 436, 2281, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\350\0\0\0\354\0\0\0\310\7\0\0\250\7\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0D\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 432, 436, 2281, 0}  (24, {168, 196, new_msg, 0, 1312680, 1310720, 1394960, 1243696} "\0\0\0\0\0\0\1\0\2$\370w U\367w\353\0\0\0\354\0\0\0\310\7\0\0\250\7\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0D\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 432, 436, 2281, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\350\0\0\0\354\0\0\0\310\7\0\0\250\7\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0D\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01701   436   NtClose  (124, ... ) == 0x0
 01702   436   NtClose  (116, ... ) == 0x0
 01703   436   NtGetContextThread  (236, 1244640, ... ) == 0x0
 01704   436   NtReadVirtualMemory  (232, 0x7ffdf008, 4, ...  (232, 0x7ffdf008, 4, ... "\0\0@\0", 4, ) , 4, ) == 0x0
 01705   436   NtUnmapViewOfSection  (232, 0x400000, ... ) == 0x0
 01706   436   NtAllocateVirtualMemory  (232, 4194304, 0, 131072, 12288, 4, ... 4194304, 131072, ) == 0x0
 01707   436   NtProtectVirtualMemory  (232, (0x400000), 1024, 64, ... (0x400000), 4096, 4, ) == 0x0
 01708   436   NtProtectVirtualMemory  (232, (0x400000), 4096, 4, ... (0x400000), 4096, 64, ) == 0x0
 01709   436   NtWriteVirtualMemory  (232, 0x400000,  (232, 0x400000, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\31\212PF\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0`\1\0\0\202\0\0\0\0\0\0\361g\1\0\0\20\0\0\0p\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\310s\1\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\1\0p\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\347_\1\0", 1024, ... 1024, ) , 1024, ... 1024, ) == 0x0
 01710   436   NtFlushInstructionCache  (232, 4194304, 1024, ... ) == 0x0
 01711   436   NtProtectVirtualMemory  (232, (0x401000), 90112, 64, ... (0x401000), 90112, 4, ) == 0x0
 01712   436   NtProtectVirtualMemory  (232, (0x401000), 90112, 4, ... (0x401000), 90112, 64, ) == 0x0
 01713   436   NtWriteVirtualMemory  (232, 0x401000,  (232, 0x401000, "U\213\354\201\354h\2\0\0\203e\370\0\203e\374\0\353\7\213E\374@\211E\374\213E\374\203<\205\0\200A\0\0\17\204\26\1\0\0\213E\374\3774\205\0\200A\0\215\205\240\375\377\377P\350\371Z\1\0YY\215\205\240\375\377\377P\350\254\365\0\0Y\215\205\360\376\377\377Pj\3j\0\215\205\240\375\377\377P\377u\10\377\25\10pA\0\203\245\340\375\377\377\0\353\15\213\205\340\375\377\377@\211\205\340\375\377\377\307\205\344\375\377\377\4\1\0\0\307\205\334\375\377\377\4\1\0\0\215\205\334\375\377\377P\215\205\364\376\377\377P\215\205\354\376\377\377Pj\0\215\205\344\375\377\377P\215\205\350\375\377\377P\377\265\340\375\377\377\377\265\360\376\377\377\377\25\0pA\0\211\205\234\375\377\377\203\275\234\375\377\377\0t\2\353S\203\275\354\376\377\377\1uE\377u\14\377\265\334\375\377\377\215\205\364\376\377\377P\350\317i\0\0\203\304\14\211\205\230\375\377\377\203\275\230\375\377\377\0t\36\215\205\350\375\377\377P\377\265\360\376\377\377\377\25\4pA\0\205\300u\7\213E\370@\211E\370\351D\377\377\377\377\265\360\376\377\377\377\25(pA\0\351\322\376\377\377\213E\370\311\303U\213\354\201\354\14\1\0\0h\200\0\0\0\377u\10\377\25\250pA\0\205\300u\5\351\334\0\0\0\377u\10\377\25\254pA\0\377u\10h\1\0\0\200\350\204\376\377\377YY\211E\374\377u\10h\2\0\0\200\350r\376\377\377YY\213M\374\3\310\211M\374\203}\374\0\17\205\240\0\0\0h\4\1\0\0\377u\10\215\205\370\376\377\377P\350\240h\0\0\203\304\14\215\205\370\376\377\377P\350{Y\1\0Y\211\205\364\376\377\377\353\15\213\205\364\376\377\377H\211\205\364\376\377\377\203\275\364\376\377\377\0t8\213E\10\3\205\364\376\377\377\17\276@\377\203\370\", 90112, ... 90112, ) , 90112, ... 90112, ) == 0x0
 01714   436   NtFlushInstructionCache  (232, 4198400, 90112, ... ) == 0x0
 01715   436   NtProtectVirtualMemory  (232, (0x401000), 90087, 64, ... (0x401000), 90112, 4, ) == 0x0
 01716   436   NtProtectVirtualMemory  (232, (0x417000), 4096, 64, ... (0x417000), 4096, 4, ) == 0x0
 01717   436   NtProtectVirtualMemory  (232, (0x417000), 4096, 4, ... (0x417000), 4096, 64, ) == 0x0
 01718   436   NtWriteVirtualMemory  (232, 0x417000,  (232, 0x417000, "\22}\1\0\0}\1\0"}\1\02}\1\0F}\1\0X}\1\0j}\1\0z}\1\0\220}\1\0\242}\1\0\362|\1\0\0\0\0\0\266z\1\0\244z\1\0\214z\1\0\200z\1\0hz\1\0Zz\1\0Lz\1\0>z\1\0(z\1\0\30z\1\0\6z\1\0\370y\1\0\354y\1\0\334y\1\0\320y\1\0\302y\1\0\264y\1\0\240y\1\0\306z\1\0|y\1\0ly\1\0Vy\1\0Jy\1\0 y\1\0\12y\1\0\374x\1\0\350x\1\0\340x\1\0\314x\1\0\276x\1\0\250x\1\0\232x\1\02~\1\0\312{\1\0\332{\1\0\354{\1\0\374{\1\0\332z\1\0\360z\1\0\6{\1\0\26{\1\0&{\1\0B{\1\0\{\1\0l{\1\0~{\1\04y\1\0\232{\1\0\216y\1\0`|\1\0P|\1\0D|\1\08|\1\0\36|\1\0\22|\1\0\262{\1\0\0\0\0\0\360}\1\0\370}\1\0\4~\1\0\32~\1\0bx\1\0Xx\1\0\330v\1\0Px\1\0Hx\1\0:x\1\00x\1\0&x\1\0\34x\1\0\22x\1\0\2x\1\0\362w\1\0\346w\1\0\324w\1\0\300w\1\0\270w\1\0\260w\1\0\250w\1\0\236w\1\0\224w\1\0\210w\1\0~w\1\0tw\1\0lw\1\0dw\1\0\w\1\0Tw\1\0Jw\1\0@w\1\08w\1\0.w\1\0$w\1\0\34w\1\0\22w\1\0\10w\1\0\376v\1\0\366v\1\0\354v\1\0\342v\1\0\344}\1\0\0\0\0\0\310\0\0\200\0\0\0\0\310}\1\0\0\0\0\0\234|\1\0\320|\1\0~|\1\0\212|\1\0\262|\1\0\300|\1\0\0\0\0\0", 4096, ... 4096, ) }\1\02}\1\0F}\1\0X}\1\0j}\1\0z}\1\0\220}\1\0\242}\1\0\362|\1\0\0\0\0\0\266z\1\0\244z\1\0\214z\1\0\200z\1\0hz\1\0Zz\1\0Lz\1\0>z\1\0(z\1\0\30z\1\0\6z\1\0\370y\1\0\354y\1\0\334y\1\0\320y\1\0\302y\1\0\264y\1\0\240y\1\0\306z\1\0|y\1\0ly\1\0Vy\1\0Jy\1\0 y\1\0\12y\1\0\374x\1\0\350x\1\0\340x\1\0\314x\1\0\276x\1\0\250x\1\0\232x\1\02~\1\0\312{\1\0\332{\1\0\354{\1\0\374{\1\0\332z\1\0\360z\1\0\6{\1\0\26{\1\0&{\1\0B{\1\0\{\1\0l{\1\0~{\1\04y\1\0\232{\1\0\216y\1\0`|\1\0P|\1\0D|\1\08|\1\0\36|\1\0\22|\1\0\262{\1\0\0\0\0\0\360}\1\0\370}\1\0\4~\1\0\32~\1\0bx\1\0Xx\1\0\330v\1\0Px\1\0Hx\1\0:x\1\00x\1\0&x\1\0\34x\1\0\22x\1\0\2x\1\0\362w\1\0\346w\1\0\324w\1\0\300w\1\0\270w\1\0\260w\1\0\250w\1\0\236w\1\0\224w\1\0\210w\1\0~w\1\0tw\1\0lw\1\0dw\1\0\w\1\0Tw\1\0Jw\1\0@w\1\08w\1\0.w\1\0$w\1\0\34w\1\0\22w\1\0\10w\1\0\376v\1\0\366v\1\0\354v\1\0\342v\1\0\344}\1\0\0\0\0\0\310\0\0\200\0\0\0\0\310}\1\0\0\0\0\0\234|\1\0\320|\1\0~|\1\0\212|\1\0\262|\1\0\300|\1\0\0\0\0\0", 4096, ... 4096, ) == 0x0
 01719   436   NtFlushInstructionCache  (232, 4288512, 4096, ... ) == 0x0
 01720   436   NtProtectVirtualMemory  (232, (0x417000), 3660, 2, ... (0x417000), 4096, 4, ) == 0x0
 01721   436   NtProtectVirtualMemory  (232, (0x418000), 24576, 64, ... (0x418000), 24576, 4, ) == 0x0
 01722   436   NtProtectVirtualMemory  (232, (0x418000), 24576, 4, ... (0x418000), 24576, 64, ) == 0x0
 01723   436   NtWriteVirtualMemory  (232, 0x418000,  (232, 0x418000, "\230\200A\0\\200A\0@\200A\0\24\200A\0\0\0\0\0\214\245\274\305\306\301\316\341\240\376\232\253\243\355\203\357\261\210\235\376\357\337\367\326\211\317\207\240\271\353\257\354\203\260\234\360\0\0\0\0\0\0\0\0\214\223\211\345\364\355\340\307\211\301\201\255\277\366\263\357\271\210\263\336\317\311\0\0\0\0\0\0\214\223\211\345\364\355\340\307\211\301\201\255\277\366\263\357\271\210\263\306\352\342\366\315\242\377\264\215\270\353\262\345\261\210\271\364\361\377\373\315\273\320\272\273\243\312\245\362\251\225\214\364\360\0\0\0\0\0\0\0\214\223\211\345\364\355\340\307\211\301\201\255\277\366\263\357\271\210\263\306\352\342\366\315\242\377\264\215\270\353\262\345\261\210\271\364\361\377\373\315\273\320\272\273\243\0\0\0\0\0\0\0\304\2%u\3\2 bot(s) found with string \304\2%s\3\2.\0No bots found with string \304\2%s\3\2.\0found string \304\2%s\3\2 in %s (\304\2%i\3\2)\0\0-\304\2%u\3\2- Listing bots with string \304\2%s\3\2:\0\0\0%s bots with string \304\2%s\3\2\0\0\0\0Killing\0Listing\0\3\3\0\0Cmd.exe process has terminated.\0Could not read data from process.\0\0\0cmd.exe\0", 24576, ... 24576, ) , 24576, ... 24576, ) == 0x0
 01724   436   NtFlushInstructionCache  (232, 4292608, 24576, ... ) == 0x0
 01725   436   NtProtectVirtualMemory  (232, (0x418000), 29096, 4, ... (0x418000), 32768, 4, ) == 0x0
 01726   436   NtProtectVirtualMemory  (232, (0x7ffdf008), 4, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 01727   436   NtProtectVirtualMemory  (232, (0x7ffdf000), 4096, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 01728   436   NtWriteVirtualMemory  (232, 0x7ffdf008,  (232, 0x7ffdf008, "\0\0@\0", 4, ... 4, ) , 4, ... 4, ) == 0x0
 01729   436   NtFlushInstructionCache  (232, 2147348488, 4, ... ) == 0x0
 01730   436   NtSetContextThread  (236, 1244640, ... ) == 0x0
 01731   436   NtResumeThread  (236, ... 1, ) == 0x0
 01732   436   NtDelayExecution  (0, {-40000000, -1}, ...
 01618   588   NtDelayExecution  ... ) == 0x0
 01733   588   NtContinue  (12710568, 0, ...
 01734   588   NtDelayExecution  (0, {-20480000, -1}, ... ) == 0x0
 01735   588   NtContinue  (12710568, 0, ...
 01736   588   NtDelayExecution  (0, {-20480000, -1}, ...
 01732   436   NtDelayExecution  ... ) == 0x0
 01737   436   NtFreeVirtualMemory  (-1, (0x176000), 114688, 16384, ... (0x176000), 114688, ) == 0x0
 01738   436   NtTerminateProcess  (0, 0, ...
 01616   568   NtDelayExecution  ... ) == 0xc0
 01568   572   NtDelayExecution  ... ) == 0xc0
 01736   588   NtDelayExecution  ... ) == 0xc0
 01738   436   NtTerminateProcess  ... ) == 0x0
 01739   436   NtClose  (192, ... ) == 0x0
 01740   436   NtUnmapViewOfSection  (-1, 0xe00000, ... ) == 0x0
 01741   436   NtClose  (196, ... ) == 0x0
 01742   436   NtClose  (188, ... ) == 0x0
 01743   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01744   436   NtFreeVirtualMemory  (-1, (0xc20000), 0, 32768, ... (0xc20000), 262144, ) == 0x0
 01745   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01746   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01747   436   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 01748   436   NtUserUnhookWindowsHookEx  (196685, ... ) == 0x1
 01749   436   NtTerminateThread  (80, 0, ... ) == 0x0
 01750   436   NtTerminateThread  (76, 0, ... ) == 0x0
 01751   436   NtTerminateThread  (68, 0, ... ) == 0x0
 01752   436   NtUserKillTimer  (0, 32761, ... ) == 0x1
 01753   436   NtClose  (84, ... ) == 0x0
 01754   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc03b
 01755   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01756   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc03d
 01757   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01758   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc03f
 01759   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01760   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc041
 01761   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01762   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc043
 01763   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01764   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc045
 01765   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01766   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc047
 01767   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01768   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc049
 01769   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01770   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc04b
 01771   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01772   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc04d
 01773   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01774   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc04f
 01775   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01776   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc051
 01777   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01778   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc053
 01779   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01780   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc057
 01781   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01782   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc059
 01783   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01784   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc05b
 01785   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01786   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc05d
 01787   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01788   436   NtUserGetClassInfo  (1999896576, 1244452, 1244404, 1244480, 0, ... ) == 0xc05f
 01789   436   NtUserUnregisterClass  (1244456, 1999896576, 1244444, ... ) == 0x1
 01790   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc03b
 01791   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01792   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc03d
 01793   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01794   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc03f
 01795   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01796   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc041
 01797   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01798   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc043
 01799   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01800   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc045
 01801   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01802   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc047
 01803   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01804   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc049
 01805   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01806   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc04b
 01807   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01808   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc04d
 01809   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01810   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc04f
 01811   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01812   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc051
 01813   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01814   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc053
 01815   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01816   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc057
 01817   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01818   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc059
 01819   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01820   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc05b
 01821   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01822   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc05d
 01823   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01824   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc05f
 01825   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01826   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc017
 01827   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01828   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc019
 01829   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01830   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc018
 01831   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01832   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc01a
 01833   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01834   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc01c
 01835   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01836   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc01e
 01837   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01838   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc01b
 01839   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01840   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc068
 01841   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01842   436   NtUserGetClassInfo  (1905590272, 1244452, 1244404, 1244480, 0, ... ) == 0xc06a
 01843   436   NtUserUnregisterClass  (1244456, 1905590272, 1244444, ... ) == 0x1
 01844   436   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 01845   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01846   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01847   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01848   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01849   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01850   436   NtFreeVirtualMemory  (-1, (0x880000), 4096, 32768, ... (0x880000), 4096, ) == 0x0
 01851   436   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1395000, 2012550769, 1312632, 2012550797}  (24, {20, 48, new_msg, 0, 1395000, 2012550769, 1312632, 2012550797} "\0\0\0\0\3\0\1\0@I\25\0\370d@\0\0\0\0\0" ... {20, 48, reply, 0, 432, 436, 10333, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370d@\0\0\0\0\0" )  ... {20, 48, reply, 0, 432, 436, 10333, 0}  (24, {20, 48, new_msg, 0, 1395000, 2012550769, 1312632, 2012550797} "\0\0\0\0\3\0\1\0@I\25\0\370d@\0\0\0\0\0" ... {20, 48, reply, 0, 432, 436, 10333, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370d@\0\0\0\0\0" )  ) == 0x0
 01852   436   NtTerminateProcess  (-1, 0, ...
 01853   436   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtEnumerateKey(>)	2	NtGdiGetStockObject(>)	5	NtQueryInformationFile(>)	22
NtCallbackReturn(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenThreadToken(>)	5	NtFlushInstructionCache(>)	23
NtDeviceIoControlFile(>)	1	NtLockFile(>)	2	NtResumeThread(>)	5	NtQueryInformationProcess(>)	23
NtDuplicateToken(>)	1	NtNotifyChangeKey(>)	2	NtFsControlFile(>)	6	NtOpenProcessTokenEx(>)	26
NtGdiCreateBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtQueryVolumeInformationFile(>)	6	NtOpenThreadTokenEx(>)	26
NtGdiInit(>)	1	NtOpenEvent(>)	2	NtReadVirtualMemory(>)	6	NtQueryDirectoryFile(>)	26
NtGdiQueryFontAssocInfo(>)	1	NtOpenMutant(>)	2	NtSetEventBoostPriority(>)	6	NtQuerySystemInformation(>)	26
NtGdiSelectBitmap(>)	1	NtQueryInformationJobObject(>)	2	NtTestAlert(>)	6	NtSetInformationFile(>)	26
NtGetContextThread(>)	1	NtQueryInstallUILanguage(>)	2	NtRegisterThreadTerminatePort(>)	7	NtCreateSection(>)	30
NtOpenKeyedEvent(>)	1	NtQueryVirtualMemory(>)	2	NtWriteFile(>)	7	NtOpenSection(>)	33
NtOpenProcess(>)	1	NtReleaseMutant(>)	2	NtOpenProcessToken(>)	8	NtQueryInformationToken(>)	35
NtQueryObject(>)	1	NtSetValueKey(>)	2	NtQueryDefaultUILanguage(>)	8	NtUnmapViewOfSection(>)	44
NtQuerySystemTime(>)	1	NtUnlockFile(>)	2	NtReadFile(>)	9	NtUserUnregisterClass(>)	45
NtSecureConnectPort(>)	1	NtUserWaitForInputIdle(>)	2	NtSetInformationThread(>)	9	NtUserFindExistingCursorIcon(>)	48
NtSetContextThread(>)	1	NtConnectPort(>)	3	NtUserSystemParametersInfo(>)	10	NtQueryAttributesFile(>)	51
NtSetEvent(>)	1	NtCreateMutant(>)	3	NtEnumerateValueKey(>)	11	NtProtectVirtualMemory(>)	55
NtUserCallNoParam(>)	1	NtGdiCreateCompatibleDC(>)	3	NtFreeVirtualMemory(>)	11	NtOpenFile(>)	56
NtUserCallOneParam(>)	1	NtOpenSymbolicLinkObject(>)	3	NtWaitForSingleObject(>)	11	NtDelayExecution(>)	60
NtUserGetDC(>)	1	NtQueryInformationThread(>)	3	NtSetInformationProcess(>)	12	NtUserRegisterClassExWOW(>)	63
NtUserGetThreadDesktop(>)	1	NtQuerySymbolicLinkObject(>)	3	NtWriteVirtualMemory(>)	13	NtMapViewOfSection(>)	74
NtUserKillTimer(>)	1	NtSetInformationObject(>)	3	NtQueryDefaultLocale(>)	14	NtAllocateVirtualMemory(>)	75
NtUserSetTimer(>)	1	NtTerminateProcess(>)	3	NtQuerySection(>)	16	NtUserGetClassInfo(>)	82
NtUserSetWindowsHookEx(>)	1	NtTerminateThread(>)	3	NtQueryDebugFilterState(>)	17	NtOpenKey(>)	148
NtUserUnhookWindowsHookEx(>)	1	NtUserRegisterWindowMessage(>)	3	NtContinue(>)	20	NtQueryValueKey(>)	188
NtAccessCheck(>)	2	NtCreateKey(>)	5	NtRequestWaitReplyPort(>)	20	NtClose(>)	245
NtCreateIoCompletion(>)	2	NtCreateThread(>)	5	NtCreateEvent(>)	21
NtCreateProcessEx(>)	2	NtDuplicateObject(>)	5