Summary:


NtCallbackReturn(>) 
 1 
NtSecureConnectPort(>) 
 1 
NtSetInformationObject(>) 
 2 
NtCreateSection(>) 
 12 

NtCreateThread(>) 
 1 
NtSetInformationThread(>) 
 1 
NtSetValueKey(>) 
 2 
NtOpenFile(>) 
 12 

NtFsControlFile(>) 
 1 
NtUserCallNoParam(>) 
 1 
NtTestAlert(>) 
 2 
NtCreateEvent(>) 
 14 

NtGdiCreateBitmap(>) 
 1 
NtUserGetThreadDesktop(>) 
 1 
NtConnectPort(>) 
 3 
NtUserRegisterClassExWOW(>) 
 14 

NtGdiInit(>) 
 1 
NtContinue(>) 
 2 
NtCreateFile(>) 
 3 
NtOpenSection(>) 
 19 

NtGdiQueryFontAssocInfo(>) 
 1 
NtDelayExecution(>) 
 2 
NtCreateKey(>) 
 3 
NtQuerySystemInformation(>) 
 19 

NtGdiSelectBitmap(>) 
 1 
NtGdiCreateSolidBrush(>) 
 2 
NtGdiCreateCompatibleDC(>) 
 3 
NtMapViewOfSection(>) 
 24 

NtOpenDirectoryObject(>) 
 1 
NtNotifyChangeKey(>) 
 2 
NtUnmapViewOfSection(>) 
 3 
NtQueryAttributesFile(>) 
 25 

NtOpenKeyedEvent(>) 
 1 
NtOpenProcessToken(>) 
 2 
NtDuplicateObject(>) 
 4 
NtQuerySystemTime(>) 
 36 

NtOpenMutant(>) 
 1 
NtOpenProcessTokenEx(>) 
 2 
NtFlushInstructionCache(>) 
 4 
NtAllocateVirtualMemory(>) 
 41 

NtOpenSymbolicLinkObject(>) 
 1 
NtOpenThreadTokenEx(>) 
 2 
NtGdiGetStockObject(>) 
 5 
NtDeviceIoControlFile(>) 
 45 

NtQueryInformationThread(>) 
 1 
NtQueryDefaultLocale(>) 
 2 
NtQueryInformationToken(>) 
 5 
NtOpenKey(>) 
 57 

NtQueryObject(>) 
 1 
NtQueryInformationProcess(>) 
 2 
NtFreeVirtualMemory(>) 
 6 
NtWaitForSingleObject(>) 
 78 

NtQuerySymbolicLinkObject(>) 
 1 
NtQueryVirtualMemory(>) 
 2 
NtQuerySection(>) 
 9 
NtProtectVirtualMemory(>) 
 82 

NtQueryVolumeInformationFile(>) 
 1 
NtRegisterThreadTerminatePort(>) 
 2 
NtUserFindExistingCursorIcon(>) 
 9 
NtClose(>) 
 90 

NtResumeThread(>) 
 1 
NtSetInformationFile(>) 
 2 
NtRequestWaitReplyPort(>) 
 11 
NtQueryValueKey(>) 
 158 


Trace:
 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18284544}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18284544}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" ... {28, 56, reply, 0, 448, 456, 1522, 0} "H \27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" )  ... {28, 56, reply, 0, 448, 456, 1522, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" ... {28, 56, reply, 0, 448, 456, 1522, 0} "H \27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\27\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" ... {28, 56, reply, 0, 448, 456, 1531, 0} "\230\262\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" )  ... {28, 56, reply, 0, 448, 456, 1531, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\27\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" ... {28, 56, reply, 0, 448, 456, 1531, 0} "\230\262\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\27\18\6\0\0" )  ) == 0x0
 00056   456   NtProtectVirtualMemory  (-1, (0x619000), 6174, 4, ... (0x619000), 8192, 128, ) == 0x0
 00057   456   NtProtectVirtualMemory  (-1, (0x619000), 8192, 128, ... (0x619000), 8192, 4, ) == 0x0
 00058   456   NtFlushInstructionCache  (-1, 6393856, 6174, ... ) == 0x0
 00059   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   456   NtClose  (28, ... ) == 0x0
 00068   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   456   NtClose  (28, ... ) == 0x0
 00071   456   NtProtectVirtualMemory  (-1, (0x619000), 6174, 4, ... (0x619000), 8192, 64, ) == 0x0
 00072   456   NtProtectVirtualMemory  (-1, (0x619000), 8192, 64, ... (0x619000), 8192, 4, ) == 0x0
 00073   456   NtFlushInstructionCache  (-1, 6393856, 6174, ... ) == 0x0
 00074   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   456   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00076   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00078   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00079   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00080   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00081   456   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00082   456   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00083   456   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00084   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00086   456   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00087   456   NtClose  (40, ... ) == 0x0
 00088   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00090   456   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00091   456   NtClose  (40, ... ) == 0x0
 00092   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   456   NtClose  (36, ... ) == 0x0
 00094   456   NtClose  (28, ... ) == 0x0
 00095   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00096   456   NtClose  (32, ... ) == 0x0
 00097   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00101   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00102   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00103   456   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00104   456   NtClose  (32, ... ) == 0x0
 00105   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00106   456   NtClose  (28, ... ) == 0x0
 00107   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00108   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00109   456   NtClose  (28, ... ) == 0x0
 00110   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00114   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00115   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00116   456   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00117   456   NtClose  (28, ... ) == 0x0
 00118   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00119   456   NtClose  (32, ... ) == 0x0
 00120   456   NtProtectVirtualMemory  (-1, (0x619000), 6174, 4, ... (0x619000), 8192, 64, ) == 0x0
 00121   456   NtProtectVirtualMemory  (-1, (0x619000), 8192, 64, ... (0x619000), 8192, 4, ) == 0x0
 00122   456   NtFlushInstructionCache  (-1, 6393856, 6174, ... ) == 0x0
 00123   456   NtProtectVirtualMemory  (-1, (0x619000), 6174, 4, ... (0x619000), 8192, 64, ) == 0x0
 00124   456   NtProtectVirtualMemory  (-1, (0x619000), 8192, 64, ... (0x619000), 8192, 4, ) == 0x0
 00125   456   NtFlushInstructionCache  (-1, 6393856, 6174, ... ) == 0x0
 00126   456   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00127   456   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00128   456   NtClose  (32, ... ) == 0x0
 00129   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00130   456   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00131   456   NtClose  (32, ... ) == 0x0
 00132   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00133   456   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134   456   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00135   456   NtClose  (32, ... ) == 0x0
 00136   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00137   456   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   456   NtClose  (32, ... ) == 0x0
 00139   456   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00140   456   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00141   456   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00143   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\27\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\27\1$\1\0\0" ... {28, 56, reply, 0, 448, 456, 1573, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\27\1$\1\0\0" )  ... {28, 56, reply, 0, 448, 456, 1573, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\27\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\27\1$\1\0\0" ... {28, 56, reply, 0, 448, 456, 1573, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\27\1$\1\0\0" )  ) == 0x0
 00144   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x620000), 0x0, 1060864, ) == 0x0
 00146   456   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00147   456   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00148   456   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00149   456   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00150   456   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00151   456   NtClose  (-2147482020, ... ) == 0x0
 00152   456   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00153   456   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00154   456   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00155   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00156   456   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   456   NtClose  (-2147482020, ... ) == 0x0
 00158   456   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00159   456   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   456   NtClose  (-2147482020, ... ) == 0x0
 00161   456   NtQueryDefaultLocale  (0, -136508916, ... ) == 0x0
 00162   456   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00163   456   NtUserCallNoParam  (24, ... ) == 0x0
 00164   456   NtGdiCreateCompatibleDC  (0, ...
 00165   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00164   456   NtGdiCreateCompatibleDC  ... ) == 0x2f01045c
 00166   456   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00167   456   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00168   456   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x33050463
 00169   456   NtGdiCreateSolidBrush  (0, 0, ...
 00170   456   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10682368, 4096, ) == 0x0
 00169   456   NtGdiCreateSolidBrush  ... ) == 0x21100462
 00171   456   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00172   456   NtGdiCreateCompatibleDC  (0, ... ) == 0x20010456
 00173   456   NtGdiSelectBitmap  (536937558, 855966819, ... ) == 0x185000f
 00174   456   NtUserGetThreadDesktop  (456, 0, ... ) == 0x2c
 00175   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00176   456   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00177   456   NtClose  (52, ... ) == 0x0
 00178   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00179   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00180   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00181   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00182   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00183   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00184   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00185   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00186   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00187   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00188   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00189   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00190   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00191   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00192   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00193   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00194   456   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00195   456   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00196   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00197   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00198   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00199   456   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00200   456   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00201   456   NtCallbackReturn  (0, 0, 0, ...
 00202   456   NtGdiInit  (... ) == 0x1
 00203   456   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00204   456   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00205   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00206   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10747904, 65536, ) == 0x0
 00207   456   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 00208   456   NtAllocateVirtualMemory  (-1, 10752000, 0, 8192, 4096, 4, ... 10752000, 8192, ) == 0x0
 00209   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00210   456   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa50000), 0x0, 12288, ) == 0x0
 00211   456   NtClose  (52, ... ) == 0x0
 00212   456   NtAllocateVirtualMemory  (-1, 10760192, 0, 4096, 4096, 4, ... 10760192, 4096, ) == 0x0
 00213   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00214   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00215   456   NtTestAlert  (... ) == 0x0
 00216   456   NtContinue  (1244464, 1, ...
 00217   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x619a39,}, 4, ... ) == 0x0
 00218   456   NtAllocateVirtualMemory  (-1, 0, 0, 128, 4096, 4, ... 10878976, 4096, ) == 0x0
 00219   456   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 10944512, 4096, ) == 0x0
 00220   456   NtAllocateVirtualMemory  (-1, 0, 0, 260, 4096, 4, ... 11010048, 4096, ) == 0x0
 00221   456   NtAllocateVirtualMemory  (-1, 0, 0, 2174976, 4096, 4, ... 11075584, 2174976, ) == 0x0
 00222   456   NtAllocateVirtualMemory  (-1, 0, 0, 28268, 4096, 4, ... 13303808, 28672, ) == 0x0
 00223   456   NtFreeVirtualMemory  (-1, (0xcb0000), 0, 32768, ... (0xcb0000), 28672, ) == 0x0
 00224   456   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 2174976, ) == 0x0
 00225   456   NtProtectVirtualMemory  (-1, (0x408570), 20, 64, ... (0x408000), 4096, 4, ) == 0x0
 00226   456   NtProtectVirtualMemory  (-1, (0x4080dc), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00227   456   NtProtectVirtualMemory  (-1, (0x4080e0), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00228   456   NtProtectVirtualMemory  (-1, (0x4080e4), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00229   456   NtProtectVirtualMemory  (-1, (0x4080e8), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00230   456   NtProtectVirtualMemory  (-1, (0x4080ec), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00231   456   NtProtectVirtualMemory  (-1, (0x4080f0), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00232   456   NtProtectVirtualMemory  (-1, (0x4080f4), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00233   456   NtProtectVirtualMemory  (-1, (0x4080f8), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00234   456   NtProtectVirtualMemory  (-1, (0x4080fc), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00235   456   NtProtectVirtualMemory  (-1, (0x408100), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00236   456   NtProtectVirtualMemory  (-1, (0x408104), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00237   456   NtProtectVirtualMemory  (-1, (0x408108), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00238   456   NtProtectVirtualMemory  (-1, (0x40810c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00239   456   NtProtectVirtualMemory  (-1, (0x408110), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00240   456   NtProtectVirtualMemory  (-1, (0x408114), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00241   456   NtProtectVirtualMemory  (-1, (0x408118), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00242   456   NtProtectVirtualMemory  (-1, (0x40811c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00243   456   NtProtectVirtualMemory  (-1, (0x408584), 20, 64, ... (0x408000), 4096, 64, ) == 0x0
 00244   456   NtProtectVirtualMemory  (-1, (0x40800c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00245   456   NtProtectVirtualMemory  (-1, (0x408010), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00246   456   NtProtectVirtualMemory  (-1, (0x408014), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00247   456   NtProtectVirtualMemory  (-1, (0x408018), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00248   456   NtProtectVirtualMemory  (-1, (0x40801c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00249   456   NtProtectVirtualMemory  (-1, (0x408020), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00250   456   NtProtectVirtualMemory  (-1, (0x408024), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00251   456   NtProtectVirtualMemory  (-1, (0x408028), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00252   456   NtProtectVirtualMemory  (-1, (0x40802c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00253   456   NtProtectVirtualMemory  (-1, (0x408030), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00254   456   NtProtectVirtualMemory  (-1, (0x408034), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00255   456   NtProtectVirtualMemory  (-1, (0x408038), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00256   456   NtProtectVirtualMemory  (-1, (0x40803c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00257   456   NtProtectVirtualMemory  (-1, (0x408040), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00258   456   NtProtectVirtualMemory  (-1, (0x408044), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00259   456   NtProtectVirtualMemory  (-1, (0x408048), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00260   456   NtProtectVirtualMemory  (-1, (0x40804c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00261   456   NtProtectVirtualMemory  (-1, (0x408050), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00262   456   NtProtectVirtualMemory  (-1, (0x408054), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00263   456   NtProtectVirtualMemory  (-1, (0x408058), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00264   456   NtProtectVirtualMemory  (-1, (0x40805c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00265   456   NtProtectVirtualMemory  (-1, (0x408060), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00266   456   NtProtectVirtualMemory  (-1, (0x408064), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00267   456   NtProtectVirtualMemory  (-1, (0x408068), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00268   456   NtProtectVirtualMemory  (-1, (0x40806c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00269   456   NtProtectVirtualMemory  (-1, (0x408070), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00270   456   NtProtectVirtualMemory  (-1, (0x408074), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00271   456   NtProtectVirtualMemory  (-1, (0x408078), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00272   456   NtProtectVirtualMemory  (-1, (0x40807c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00273   456   NtProtectVirtualMemory  (-1, (0x408080), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00274   456   NtProtectVirtualMemory  (-1, (0x408084), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00275   456   NtProtectVirtualMemory  (-1, (0x408088), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00276   456   NtProtectVirtualMemory  (-1, (0x40808c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00277   456   NtProtectVirtualMemory  (-1, (0x408090), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00278   456   NtProtectVirtualMemory  (-1, (0x408094), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00279   456   NtProtectVirtualMemory  (-1, (0x408098), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00280   456   NtProtectVirtualMemory  (-1, (0x40809c), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00281   456   NtProtectVirtualMemory  (-1, (0x4080a0), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00282   456   NtProtectVirtualMemory  (-1, (0x4080a4), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00283   456   NtProtectVirtualMemory  (-1, (0x4080a8), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00284   456   NtProtectVirtualMemory  (-1, (0x4080ac), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00285   456   NtProtectVirtualMemory  (-1, (0x4080b0), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00286   456   NtProtectVirtualMemory  (-1, (0x4080b4), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00287   456   NtProtectVirtualMemory  (-1, (0x4080b8), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00288   456   NtProtectVirtualMemory  (-1, (0x4080bc), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00289   456   NtProtectVirtualMemory  (-1, (0x4080c0), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00290   456   NtProtectVirtualMemory  (-1, (0x4080c4), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00291   456   NtProtectVirtualMemory  (-1, (0x4080c8), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00292   456   NtProtectVirtualMemory  (-1, (0x4080cc), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00293   456   NtProtectVirtualMemory  (-1, (0x4080d0), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00294   456   NtProtectVirtualMemory  (-1, (0x4080d4), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00295   456   NtProtectVirtualMemory  (-1, (0x408598), 20, 64, ... (0x408000), 4096, 64, ) == 0x0
 00296   456   NtProtectVirtualMemory  (-1, (0x408000), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00297   456   NtProtectVirtualMemory  (-1, (0x408004), 4, 64, ... (0x408000), 4096, 64, ) == 0x0
 00298   456   NtFreeVirtualMemory  (-1, (0xa60000), 0, 32768, ... (0xa60000), 4096, ) == 0x0
 00299   456   NtFreeVirtualMemory  (-1, (0xa80000), 0, 32768, ... (0xa80000), 4096, ) == 0x0
 00300   456   NtFreeVirtualMemory  (-1, (0xa70000), 0, 32768, ... (0xa70000), 4096, ) == 0x0
 00301   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00302   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10878976, 65536, ) == 0x0
 00303   456   NtAllocateVirtualMemory  (-1, 10878976, 0, 4096, 4096, 4, ... 10878976, 4096, ) == 0x0
 00304   456   NtAllocateVirtualMemory  (-1, 10883072, 0, 20480, 4096, 4, ... 10883072, 20480, ) == 0x0
 00305   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10944512, 1048576, ) == 0x0
 00306   456   NtAllocateVirtualMemory  (-1, 10944512, 0, 32768, 4096, 4, ... 10944512, 32768, ) == 0x0
 00307   456   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00308   456   NtOpenKey  (0x20006, {24, 32, 0x40, 0, 0,  (0x20006, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 52, ) }, ... 52, ) == 0x0
 00309   456   NtSetValueKey  (52,  (52, "Advanced DHTML Enable", 0, 1, "u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0", 38, ... , 0, 1,  (52, "Advanced DHTML Enable", 0, 1, "u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0", 38, ... , 38, ...
 00310   456   NtSetInformationFile  (-2147482808, -136509644, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00311   456   NtSetInformationFile  (-2147482808, -136509736, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00309   456   NtSetValueKey  ... ) == 0x0
 00312   456   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00313   456   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 56, ) }, ... 56, ) == 0x0
 00314   456   NtQueryValueKey  (56,  (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00315   456   NtQueryValueKey  (56,  (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00316   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00317   456   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "Protocol_Catalog9"}, ... 64, ) }, ... 64, ) == 0x0
 00318   456   NtQueryValueKey  (64,  (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00319   456   NtNotifyChangeKey  (64, 60, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00320   456   NtQueryValueKey  (64,  (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00321   456   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   456   NtQueryValueKey  (64,  (64, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00323   456   NtQueryValueKey  (64,  (64, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00324   456   NtOpenKey  (0x2000000, {24, 64, 0x40, 0, 0,  (0x2000000, {24, 64, 0x40, 0, 0, "Catalog_Entries"}, ... 68, ) }, ... 68, ) == 0x0
 00325   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000001"}, ... 72, ) }, ... 72, ) == 0x0
 00326   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00327   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00328   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0I\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0I\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0J\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0J\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0I\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0I\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0J\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0J\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0I\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0I\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0J\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0J\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00329   456   NtClose  (72, ... ) == 0x0
 00330   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000002"}, ... 72, ) }, ... 72, ) == 0x0
 00331   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00332   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00333   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0N\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0N\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0O\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0O\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0N\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0N\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0O\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0O\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0N\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0N\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0O\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0O\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00334   456   NtClose  (72, ... ) == 0x0
 00335   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000003"}, ... 72, ) }, ... 72, ) == 0x0
 00336   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00337   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00338   456   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00339   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0T\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0U\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0T\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0U\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0T\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0T\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0U\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00340   456   NtClose  (72, ... ) == 0x0
 00341   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000004"}, ... 72, ) }, ... 72, ) == 0x0
 00342   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00343   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00344   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0Y\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0Y\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0Z\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0Y\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0Y\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0Z\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0Y\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0Y\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0Z\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00345   456   NtClose  (72, ... ) == 0x0
 00346   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000005"}, ... 72, ) }, ... 72, ) == 0x0
 00347   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00348   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00349   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0^\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0^\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0_\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0^\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0^\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0_\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0^\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0^\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0_\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00350   456   NtClose  (72, ... ) == 0x0
 00351   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000006"}, ... 72, ) }, ... 72, ) == 0x0
 00352   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00353   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00354   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0c\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0c\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0d\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0c\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0c\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0d\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0c\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0c\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0d\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00355   456   NtClose  (72, ... ) == 0x0
 00356   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000007"}, ... 72, ) }, ... 72, ) == 0x0
 00357   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00359   456   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00360   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0i\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0i\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0j\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0i\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0i\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0j\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0i\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0i\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0j\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00361   456   NtClose  (72, ... ) == 0x0
 00362   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000008"}, ... 72, ) }, ... 72, ) == 0x0
 00363   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00364   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00365   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0n\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0n\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0o\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0n\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0n\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0o\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0n\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0n\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0o\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00366   456   NtClose  (72, ... ) == 0x0
 00367   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000009"}, ... 72, ) }, ... 72, ) == 0x0
 00368   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00369   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00370   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0s\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0s\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0t\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0s\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0s\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0t\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0s\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0s\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0t\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00371   456   NtClose  (72, ... ) == 0x0
 00372   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000010"}, ... 72, ) }, ... 72, ) == 0x0
 00373   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00374   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00375   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0x\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0x\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0y\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0x\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0x\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0y\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0 (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0x\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0x\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\0\0\0$\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\350@\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0y\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\1\0\0\300\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00376   456   NtClose  (72, ... ) == 0x0
 00377   456   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "000000000011"}, ... 72, ) }, ... 72, ) == 0x0
 00378   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00380   456   NtQueryValueKey  (72,  (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0}\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0}\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\1\0\0\300\1\0\0\310\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\177\1\0\0\300\1\0\0\310\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\200\1\0\0\300\1\0\0\310\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\200\1\0\0\300\1\0\0\310\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\201\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0@\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230?\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (72, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0}\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\0\0\0}\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\1\0\0\300\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\1\0\0\300\1\0\0\310\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\177\1\0\0\300\1\0\0\310\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\200\1\0\0\300\1\0\0\310\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\200\1\0\0\300\1\0\0\310\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\201\1\0\0\300\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\0\0\0@\333\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\230?\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00381   456   NtClose  (72, ... ) == 0x0
 00382   456   NtClose  (68, ... ) == 0x0
 00383   456   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00384   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00385   456   NtOpenKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 72, ) }, ... 72, ) == 0x0
 00386   456   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00387   456   NtNotifyChangeKey  (72, 68, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00388   456   NtQueryValueKey  (72,  (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00389   456   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390   456   NtQueryValueKey  (72,  (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00391   456   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Catalog_Entries"}, ... 76, ) }, ... 76, ) == 0x0
 00392   456   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00393   456   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000001"}, ... 80, ) }, ... 80, ) == 0x0
 00394   456   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00395   456   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00396   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00397   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00398   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00399   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00400   456   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00401   456   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   456   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00403   456   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00404   456   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00405   456   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00406   456   NtClose  (80, ... ) == 0x0
 00407   456   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000002"}, ... 80, ) }, ... 80, ) == 0x0
 00408   456   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00409   456   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00410   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00411   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00412   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00413   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00414   456   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00415   456   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   456   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00417   456   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00418   456   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00419   456   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00420   456   NtClose  (80, ... ) == 0x0
 00421   456   NtOpenKey  (0x20019, {24, 76, 0x40, 0, 0,  (0x20019, {24, 76, 0x40, 0, 0, "000000000003"}, ... 80, ) }, ... 80, ) == 0x0
 00422   456   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00423   456   NtQueryValueKey  (80,  (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00424   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00425   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00426   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00427   456   NtQueryValueKey  (80,  (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00428   456   NtQueryValueKey  (80,  (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (80, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00429   456   NtQueryValueKey  (80,  (80, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   456   NtQueryValueKey  (80,  (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00431   456   NtQueryValueKey  (80,  (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00432   456   NtQueryValueKey  (80,  (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00433   456   NtQueryValueKey  (80,  (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00434   456   NtClose  (80, ... ) == 0x0
 00435   456   NtClose  (76, ... ) == 0x0
 00436   456   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00437   456   NtClose  (56, ... ) == 0x0
 00438   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00439   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00440   456   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 56, ) }, ... 56, ) == 0x0
 00441   456   NtQueryValueKey  (56,  (56, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   456   NtClose  (56, ... ) == 0x0
 00443   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 56, ) == 0x0
 00444   456   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00445   456   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00446   456   NtDelayExecution  (0, {-10000000, -1}, ... ) == 0x0
 00447   456   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00448   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 76, ) }, ... 76, ) == 0x0
 00449   456   NtQueryValueKey  (76,  (76, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   456   NtClose  (76, ... ) == 0x0
 00451   456   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00452   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 1232592, ... ) }, 1232592, ... ) == 0x0
 00453   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00454   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 80, ) == 0x0
 00455   456   NtClose  (76, ... ) == 0x0
 00456   456   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb70000), 0x0, 229376, ) == 0x0
 00457   456   NtClose  (80, ... ) == 0x0
 00458   456   NtUnmapViewOfSection  (-1, 0xb70000, ... ) == 0x0
 00459   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 1232908, ... ) }, 1232908, ... ) == 0x0
 00460   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00461   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 76, ) == 0x0
 00462   456   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00463   456   NtClose  (80, ... ) == 0x0
 00464   456   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 00465   456   NtClose  (76, ... ) == 0x0
 00466   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00467   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00468   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 76, ) == 0x0
 00469   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 1232236, ... ) }, 1232236, ... ) == 0x0
 00470   456   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 80, ) }, ... 80, ) == 0x0
 00471   456   NtQueryValueKey  (80,  (80, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (80, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00472   456   NtQueryValueKey  (80,  (80, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (80, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00473   456   NtClose  (80, ... ) == 0x0
 00474   456   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 80, ) }, ... 80, ) == 0x0
 00475   456   NtQueryValueKey  (80,  (80, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00476   456   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00477   456   NtQueryValueKey  (80,  (80, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00478   456   NtQueryValueKey  (80,  (80, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (80, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 00479   456   NtClose  (80, ... ) == 0x0
 00480   456   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 80, ) }, ... 80, ) == 0x0
 00481   456   NtQueryValueKey  (80,  (80, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00482   456   NtQueryValueKey  (80,  (80, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00483   456   NtQueryValueKey  (80,  (80, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484   456   NtQueryValueKey  (80,  (80, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (80, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 00485   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 1233156, ... ) }, 1233156, ... ) == 0x0
 00486   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00487   456   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 84, ... 88, ) == 0x0
 00488   456   NtClose  (84, ... ) == 0x0
 00489   456   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb70000), 0x0, 20480, ) == 0x0
 00490   456   NtClose  (88, ... ) == 0x0
 00491   456   NtUnmapViewOfSection  (-1, 0xb70000, ... ) == 0x0
 00492   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 1233472, ... ) }, 1233472, ... ) == 0x0
 00493   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00494   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 84, ) == 0x0
 00495   456   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00496   456   NtClose  (88, ... ) == 0x0
 00497   456   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 00498   456   NtClose  (84, ... ) == 0x0
 00499   456   NtClose  (80, ... ) == 0x0
 00500   456   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 1235672, 67, ... 80, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 1235672, 67, ... 80, {status=0x0, info=0}, ) == 0x0
 00501   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x1207b,  (80, 76, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0X\177\24\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\10\307\22\201", ) , 16, 16, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0X\177\24\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\10\307\22\201", ) , ) == 0x0
 00502   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x1207b,  (80, 76, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\10\307\22\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\10\307\22\201", ) , 16, 16, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\10\307\22\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\10\307\22\201", ) , ) == 0x0
 00503   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12047,  (80, 76, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0X\177\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 00504   456   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00505   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12003,  (80, 76, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0W/\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=84}, "\1\0\0\0\1\0\0\0\16\0\2\0W/\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=84},  (80, 76, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0W/\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=84}, "\1\0\0\0\1\0\0\0\16\0\2\0W/\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00506   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12047,  (80, 76, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0W/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00507   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x1200b,  (80, 76, 0x0, 0x0, 0x1200b, "\0\21\252q\331\212\0\0\0\0\0\0", 12, 0, ... {status=0x0, info=0}, 0x0, ) , 12, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00508   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12047,  (80, 76, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\1\0\0\2\0W/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00509   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x1203b,  (80, 76, 0x0, 0x0, 0x1203b, "\2\0\0\0X}\24\0\1\0\0\0\334'a\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00510   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11993088, 1048576, ) == 0x0
 00511   456   NtAllocateVirtualMemory  (-1, 13033472, 0, 8192, 4096, 4, ... 13033472, 8192, ) == 0x0
 00512   456   NtProtectVirtualMemory  (-1, (0xc6e000), 4096, 260, ... (0xc6e000), 4096, 4, ) == 0x0
 00513   456   NtCreateThread  (0x1f03ff, 0x0, -1, 1235196, 1235912, 1, ... 88, {448, 960}, ) == 0x0
 00514   456   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=448,Tid=960,}, 0x0, ) == 0x0
 00515   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012750850, 1345168, 285, 2012556731}  (24, {28, 56, new_msg, 0, 2012750850, 1345168, 285, 2012556731} "\0\0\0\0\1\0\1\0\0\0\0\0L}\24\0X\0\0\0\300\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 448, 456, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0L}\24\0X\0\0\0\300\1\0\0\300\3\0\0" )  ... {28, 56, reply, 0, 448, 456, 1583, 0}  (24, {28, 56, new_msg, 0, 2012750850, 1345168, 285, 2012556731} "\0\0\0\0\1\0\1\0\0\0\0\0L}\24\0X\0\0\0\300\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 448, 456, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0L}\24\0X\0\0\0\300\1\0\0\300\3\0\0" )  ) == 0x0
 00516   456   NtResumeThread  (88, ... 1, ) == 0x0
 00517   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=0}, "", ) , 28, 28, ... {status=0x0, info=0}, "", ) == 0x103
 00518   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ...
 00519   960   NtTestAlert  (... ) == 0x0
 00520   960   NtContinue  (13040944, 1, ...
 00521   960   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00522   960   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 00523   960   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00524   960   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00525   960   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13040904, 67, ... 100, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 13040904, 67, ... 100, {status=0x0, info=0}, ) == 0x0
 00526   960   NtDeviceIoControlFile  (100, 96, 0x0, 0x0, 0x12047,  (100, 96, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210\211\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 00527   960   NtWaitForSingleObject  (60, 0, {0, 0}, ... ) == 0x102
 00528   960   NtWaitForSingleObject  (68, 0, {0, 0}, ... ) == 0x102
 00529   960   NtAllocateVirtualMemory  (-1, 13029376, 0, 4096, 4096, 260, ... 13029376, 4096, ) == 0x0
 00530   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 13037444, ... ) }, 13037444, ... ) == 0x0
 00531   960   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00532   960   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 13037560, ... ) }, 13037560, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   960   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 13037560, ... ) }, 13037560, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 13037560, ... ) }, 13037560, ... ) == 0x0
 00536   960   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00537   960   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00538   960   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00539   960   NtClose  (104, ... ) == 0x0
 00540   960   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 00541   960   NtClose  (108, ... ) == 0x0
 00542   960   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 108, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 108, 2, ) , 0, ... 108, 2, ) == 0x0
 00543   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 104, ) }, ... 104, ) == 0x0
 00544   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00545   960   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   960   NtQueryValueKey  (104,  (104, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00547   960   NtQueryValueKey  (108,  (108, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   960   NtQueryValueKey  (104,  (104, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   960   NtQueryValueKey  (108,  (108, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00550   960   NtQueryValueKey  (104,  (104, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00551   960   NtQueryValueKey  (108,  (108, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   960   NtQueryValueKey  (104,  (104, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553   960   NtQueryValueKey  (108,  (108, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   960   NtQueryValueKey  (104,  (104, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   960   NtQueryValueKey  (104,  (104, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   960   NtQueryValueKey  (104,  (104, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557   960   NtQueryValueKey  (104,  (104, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   960   NtQueryValueKey  (104,  (104, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   960   NtQueryValueKey  (104,  (104, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00560   960   NtQueryValueKey  (104,  (104, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   960   NtQueryValueKey  (108,  (108, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   960   NtQueryValueKey  (104,  (104, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   960   NtQueryValueKey  (104,  (104, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   960   NtQueryValueKey  (108,  (108, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565   960   NtQueryValueKey  (104,  (104, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   960   NtQueryValueKey  (108,  (108, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00567   960   NtQueryValueKey  (104,  (104, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568   960   NtQueryValueKey  (108,  (108, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   960   NtQueryValueKey  (104,  (104, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   960   NtQueryValueKey  (108,  (108, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   960   NtQueryValueKey  (104,  (104, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   960   NtQueryValueKey  (108,  (108, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   960   NtQueryValueKey  (104,  (104, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   960   NtQueryValueKey  (108,  (108, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   960   NtQueryValueKey  (104,  (104, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   960   NtQueryValueKey  (108,  (108, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00577   960   NtQueryValueKey  (104,  (104, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   960   NtQueryValueKey  (108,  (108, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   960   NtQueryValueKey  (104,  (104, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   960   NtQueryValueKey  (104,  (104, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   960   NtQueryValueKey  (104,  (104, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   960   NtQueryValueKey  (104,  (104, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   960   NtQueryValueKey  (104,  (104, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   960   NtQueryValueKey  (104,  (104, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   960   NtQueryValueKey  (104,  (104, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   960   NtQueryValueKey  (104,  (104, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00587   960   NtQueryValueKey  (104,  (104, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   960   NtQueryValueKey  (104,  (104, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   960   NtQueryValueKey  (104,  (104, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   960   NtQueryValueKey  (104,  (104, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   960   NtQueryValueKey  (104,  (104, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   960   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 112, ) }, ... 112, ) == 0x0
 00593   960   NtQueryValueKey  (112,  (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00594   960   NtClose  (112, ... ) == 0x0
 00595   960   NtClose  (108, ... ) == 0x0
 00596   960   NtClose  (104, ... ) == 0x0
 00597   960   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 104, ) }, ... 104, ) == 0x0
 00598   960   NtQueryValueKey  (104,  (104, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00599   960   NtQueryValueKey  (104,  (104, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   960   NtQueryValueKey  (104,  (104, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   960   NtClose  (104, ... ) == 0x0
 00602   960   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00603   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 104, ) }, ... 104, ) == 0x0
 00605   960   NtQueryValueKey  (104,  (104, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   960   NtClose  (104, ... ) == 0x0
 00607   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 104, ) == 0x0
 00609   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00610   960   NtQuerySystemTime  (... {-1243987388, 29884252}, ) == 0x0
 00611   960   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00612   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   960   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00614   960   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00615   960   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00616   960   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00617   960   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00618   960   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00619   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00620   960   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 13038036, 112, ... 128, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 13038036, 112, ... 128, 0x0, 0x0, 0x0, 112, ) == 0x0
 00621   960   NtRequestWaitReplyPort  (128, {128, 152, new_msg, 0, 1310720, 126888, 1310720, 13037800}  (128, {128, 152, new_msg, 0, 1310720, 126888, 1310720, 13037800} "\0$\370w\230\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\00\245\24\0\4\0\0\00\245\24\0\20\344\314w0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0H\242\24\0\220\243\24\0\0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0`\1\0\0" ... {128, 152, reply, 0, 448, 960, 1585, 0} "\7$\370w\230\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\00\245\24\0\377\377\377\3770\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0H\242\24\0\220\243\24\0\0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0`\1\0\0" )  ... {128, 152, reply, 0, 448, 960, 1585, 0}  (128, {128, 152, new_msg, 0, 1310720, 126888, 1310720, 13037800} "\0$\370w\230\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\00\245\24\0\4\0\0\00\245\24\0\20\344\314w0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0H\242\24\0\220\243\24\0\0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0`\1\0\0" ... {128, 152, reply, 0, 448, 960, 1585, 0} "\7$\370w\230\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\00\245\24\0\377\377\377\3770\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0H\242\24\0\220\243\24\0\0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0`\1\0\0" )  ) == 0x0
 00622   960   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 0, 0, 0, 0, 0}  (128, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 448, 960, 1586, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 448, 960, 1586, 0}  (128, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 448, 960, 1586, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 00623   960   NtClose  (124, ... ) == 0x0
 00624   960   NtClose  (128, ... ) == 0x0
 00625   960   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 128, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 128, 2, ) , 0, ... 128, 2, ) == 0x0
 00626   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 124, ) }, ... 124, ) == 0x0
 00627   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628   960   NtQueryValueKey  (128,  (128, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 00629   960   NtQueryValueKey  (128,  (128, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 00630   960   NtClose  (128, ... ) == 0x0
 00631   960   NtClose  (124, ... ) == 0x0
 00632   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00633   960   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 13037900, 112, ... 128, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 13037900, 112, ... 128, 0x0, 0x0, 0x0, 112, ) == 0x0
 00634   960   NtRequestWaitReplyPort  (128, {128, 152, new_msg, 0, 1310720, 126752, 1310720, 13037664}  (128, {128, 152, new_msg, 0, 1310720, 126752, 1310720, 13037664} "\0$\370w\20\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\00\245\24\0\4\0\0\00\245\24\0\20\344\314w0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\330\241\24\0\230\243\24\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\306\0L\362\306\0x\1\24\0\0\0\0\0\0\245\24\0\5\0\0\0" ... {128, 152, reply, 0, 448, 960, 1589, 0} "\7$\370w\20\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\00\245\24\0\377\377\377\3770\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\330\241\24\0\230\243\24\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\306\0L\362\306\0x\1\24\0\0\0\0\0\0\245\24\0\5\0\0\0" )  ... {128, 152, reply, 0, 448, 960, 1589, 0}  (128, {128, 152, new_msg, 0, 1310720, 126752, 1310720, 13037664} "\0$\370w\20\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\00\245\24\0\4\0\0\00\245\24\0\20\344\314w0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\330\241\24\0\230\243\24\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\306\0L\362\306\0x\1\24\0\0\0\0\0\0\245\24\0\5\0\0\0" ... {128, 152, reply, 0, 448, 960, 1589, 0} "\7$\370w\20\367\306\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\00\245\24\0\377\377\377\3770\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\330\241\24\0\230\243\24\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\306\0L\362\306\0x\1\24\0\0\0\0\0\0\245\24\0\5\0\0\0" )  ) == 0x0
 00635   960   NtRequestWaitReplyPort  (128, {44, 68, new_msg, 0, 448, 960, 1586, 0}  (128, {44, 68, new_msg, 0, 448, 960, 1586, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 448, 960, 1590, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 448, 960, 1590, 0}  (128, {44, 68, new_msg, 0, 448, 960, 1586, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 448, 960, 1590, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 00636   960   NtRequestWaitReplyPort  (128, {64, 88, new_msg, 56, 0, 1, 0, 0}  (128, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\362\306\0@\0\314wp\241\24\0\24\363\306\0|\363\306\0\0\267\362v|\363\306\0p\241\24\0\1\0\0\0\230\246\24\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 448, 960, 1591, 0} "\10\362\306\0@\0\314wp\241\24\0\24\363\306\0|\363\306\0\0\267\362v|\363\306\0p\241\24\0\1\0\0\0\230\246\24\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 448, 960, 1591, 0}  (128, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\362\306\0@\0\314wp\241\24\0\24\363\306\0|\363\306\0\0\267\362v|\363\306\0p\241\24\0\1\0\0\0\230\246\24\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 448, 960, 1591, 0} "\10\362\306\0@\0\314wp\241\24\0\24\363\306\0|\363\306\0\0\267\362v|\363\306\0p\241\24\0\1\0\0\0\230\246\24\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00637   960   NtClose  (124, ... ) == 0x0
 00638   960   NtClose  (128, ... ) == 0x0
 00639   960   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 128, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 128, 2, ) , 0, ... 128, 2, ) == 0x0
 00640   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 124, ) }, ... 124, ) == 0x0
 00641   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   960   NtQueryValueKey  (128,  (128, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00643   960   NtQueryValueKey  (128,  (128, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00644   960   NtClose  (128, ... ) == 0x0
 00645   960   NtClose  (124, ... ) == 0x0
 00646   960   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 124, ) }, ... 124, ) == 0x0
 00647   960   NtQueryValueKey  (124,  (124, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648   960   NtClose  (124, ... ) == 0x0
 00649   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 13037444, ... ) }, 13037444, ... ) == 0x0
 00650   960   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00651   960   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00652   960   NtClose  (124, ... ) == 0x0
 00653   960   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc70000), 0x0, 16384, ) == 0x0
 00654   960   NtClose  (128, ... ) == 0x0
 00655   960   NtUnmapViewOfSection  (-1, 0xc70000, ... ) == 0x0
 00656   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 13037760, ... ) }, 13037760, ... ) == 0x0
 00657   960   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00658   960   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 00659   960   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00660   960   NtClose  (128, ... ) == 0x0
 00661   960   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 00662   960   NtClose  (124, ... ) == 0x0
 00663   960   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 124, ) }, ... 124, ) == 0x0
 00664   960   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 00665   960   NtClose  (124, ... ) == 0x0
 00666   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00667   960   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 128, ) }, ... 128, ) == 0x0
 00668   960   NtQueryValueKey  (128,  (128, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00669   960   NtClose  (128, ... ) == 0x0
 00670   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 13037444, ... ) }, 13037444, ... ) == 0x0
 00671   960   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00672   960   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13041664, 65536, ) == 0x0
 00673   960   NtAllocateVirtualMemory  (-1, 13041664, 0, 4096, 4096, 4, ... 13041664, 4096, ) == 0x0
 00674   960   NtAllocateVirtualMemory  (-1, 13045760, 0, 8192, 4096, 4, ... 13045760, 8192, ) == 0x0
 00675   960   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00676   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 128, ) == 0x0
 00677   960   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 13037720, 112, ... 132, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 13037720, 112, ... 132, 0x0, 0x0, 0x0, 112, ) == 0x0
 00678   960   NtRequestWaitReplyPort  (132, {128, 152, new_msg, 0, 126572, 1310720, 13037484, 2012750850}  (132, {128, 152, new_msg, 0, 126572, 1310720, 13037484, 2012750850} "\0\366\306\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\260\255\24\0\0\0\0\0h\257\24\0\320\255\24\0@\257\24\0\0\0\0\0\0\0\0\0\0\0\0\0h\257\24\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 448, 960, 1594, 0} "\7\366\306\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\260\255\24\0\0\0\0\0h\257\24\0\320\255\24\0@\257\24\0\0\0\0\0\0\0\0\0\0\0\0\0h\257\24\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 448, 960, 1594, 0}  (132, {128, 152, new_msg, 0, 126572, 1310720, 13037484, 2012750850} "\0\366\306\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w0\245\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\260\255\24\0\0\0\0\0h\257\24\0\320\255\24\0@\257\24\0\0\0\0\0\0\0\0\0\0\0\0\0h\257\24\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 448, 960, 1594, 0} "\7\366\306\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\260\255\24\0\0\0\0\0h\257\24\0\320\255\24\0@\257\24\0\0\0\0\0\0\0\0\0\0\0\0\0h\257\24\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00679   960   NtRequestWaitReplyPort  (132, {104, 128, new_msg, 0, 448, 960, 1590, 0}  (132, {104, 128, new_msg, 0, 448, 960, 1590, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\234\265\24\0\22\0\0\0\0\0\0\0\22\0\0\0h\0b\0k\0.\0n\0a\0d\01\02\03\0n\0a\0d\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 448, 960, 1595, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 448, 960, 1595, 0}  (132, {104, 128, new_msg, 0, 448, 960, 1590, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\234\265\24\0\22\0\0\0\0\0\0\0\22\0\0\0h\0b\0k\0.\0n\0a\0d\01\02\03\0n\0a\0d\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 448, 960, 1595, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 00680   960   NtClose  (128, ... ) == 0x0
 00681   960   NtClose  (132, ... ) == 0x0
 00682   960   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 132, ) }, ... 132, ) == 0x0
 00683   960   NtQueryValueKey  (132,  (132, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00684   960   NtQueryValueKey  (132,  (132, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00685   960   NtQueryValueKey  (132,  (132, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   960   NtClose  (132, ... ) == 0x0
 00687   960   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 13038480, ... ) }, 13038480, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   960   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 13038480, ... ) }, 13038480, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690   960   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 13038480, ... ) }, 13038480, ... ) == 0x0
 00691   960   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00692   960   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00693   960   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00694   960   NtClose  (132, ... ) == 0x0
 00695   960   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 00696   960   NtClose  (128, ... ) == 0x0
 00697   960   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 128, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 128, {status=0x0, info=0}, ) == 0x0
 00698   960   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 00699   960   NtDeviceIoControlFile  (128, 132, 0x0, 0x0, 0xf14014,  (128, 132, 0x0, 0x0, 0xf14014, "\3\0\0\0hbk.nad123nad.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 00700   960   NtClose  (132, ... ) == 0x0
 00701   960   NtClose  (128, ... ) == 0x0
 00702   960   NtDelayExecution  (0, {-410065408, -3}, ...
 00518   456   NtWaitForSingleObject  ... ) == 0x102
 00703   456   NtQuerySystemTime  (... {-1238987388, 29884252}, ) == 0x0
 00704   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00705   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00706   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00707   456   NtQuerySystemTime  (... {-1218987388, 29884252}, ) == 0x0
 00708   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00709   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00710   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00711   456   NtQuerySystemTime  (... {-1198987388, 29884252}, ) == 0x0
 00712   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00713   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00714   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00715   456   NtQuerySystemTime  (... {-1178987388, 29884252}, ) == 0x0
 00716   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00717   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00718   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00719   456   NtQuerySystemTime  (... {-1158987388, 29884252}, ) == 0x0
 00720   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00721   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00722   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00723   456   NtQuerySystemTime  (... {-1138987388, 29884252}, ) == 0x0
 00724   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00725   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00726   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00727   456   NtQuerySystemTime  (... {-1118987388, 29884252}, ) == 0x0
 00728   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00729   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00730   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00731   456   NtQuerySystemTime  (... {-1098987388, 29884252}, ) == 0x0
 00732   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00733   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00734   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00735   456   NtQuerySystemTime  (... {-1078987388, 29884252}, ) == 0x0
 00736   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00737   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00738   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00739   456   NtQuerySystemTime  (... {-1058987388, 29884252}, ) == 0x0
 00740   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00741   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00742   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00743   456   NtQuerySystemTime  (... {-1038987388, 29884252}, ) == 0x0
 00744   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00745   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00746   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00747   456   NtQuerySystemTime  (... {-1018987388, 29884252}, ) == 0x0
 00748   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00749   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00750   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00751   456   NtQuerySystemTime  (... {-998987388, 29884252}, ) == 0x0
 00752   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00753   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00754   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00755   456   NtQuerySystemTime  (... {-978987388, 29884252}, ) == 0x0
 00756   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00757   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00758   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00759   456   NtQuerySystemTime  (... {-958987388, 29884252}, ) == 0x0
 00760   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00761   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00762   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00763   456   NtQuerySystemTime  (... {-938987388, 29884252}, ) == 0x0
 00764   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00765   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00766   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00767   456   NtQuerySystemTime  (... {-918987388, 29884252}, ) == 0x0
 00768   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00769   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00770   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00771   456   NtQuerySystemTime  (... {-898987388, 29884252}, ) == 0x0
 00772   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00773   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00774   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00775   456   NtQuerySystemTime  (... {-878987388, 29884252}, ) == 0x0
 00776   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00777   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00778   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00779   456   NtQuerySystemTime  (... {-858987388, 29884252}, ) == 0x0
 00780   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00781   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00782   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00783   456   NtQuerySystemTime  (... {-838987388, 29884252}, ) == 0x0
 00784   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00785   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00786   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00787   456   NtQuerySystemTime  (... {-818987388, 29884252}, ) == 0x0
 00788   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00789   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00790   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00791   456   NtQuerySystemTime  (... {-798987388, 29884252}, ) == 0x0
 00792   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00793   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00794   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00795   456   NtQuerySystemTime  (... {-778987388, 29884252}, ) == 0x0
 00796   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00797   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00798   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00799   456   NtQuerySystemTime  (... {-758987388, 29884252}, ) == 0x0
 00800   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00801   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00802   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00803   456   NtQuerySystemTime  (... {-738987388, 29884252}, ) == 0x0
 00804   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00805   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00806   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00807   456   NtQuerySystemTime  (... {-718987388, 29884252}, ) == 0x0
 00808   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00809   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00810   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00811   456   NtQuerySystemTime  (... {-698987388, 29884252}, ) == 0x0
 00812   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00813   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00814   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00815   456   NtQuerySystemTime  (... {-678987388, 29884252}, ) == 0x0
 00816   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00817   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00818   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00819   456   NtQuerySystemTime  (... {-658987388, 29884252}, ) == 0x0
 00820   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00821   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00822   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00823   456   NtQuerySystemTime  (... {-638987388, 29884252}, ) == 0x0
 00824   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00825   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00826   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00827   456   NtQuerySystemTime  (... {-618987388, 29884252}, ) == 0x0
 00828   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00829   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00830   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00831   456   NtQuerySystemTime  (... {-598987388, 29884252}, ) == 0x0
 00832   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00833   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00834   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00835   456   NtQuerySystemTime  (... {-578987388, 29884252}, ) == 0x0
 00836   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ... ) == 0x0
 00837   456   NtDeviceIoControlFile  (80, 76, 0x0, 0x0, 0x12024,  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , 28, 28, ... {status=0x0, info=16},  (80, 76, 0x0, 0x0, 0x12024, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0P\0\0\0\31\0\0\0\0\1\0\1", 28, 28, ... {status=0x0, info=16}, "\0\323\316\376\377\377\377\377\1\0\0\0\0\0\0\0", ) , ) == 0x103
 00838   456   NtWaitForSingleObject  (76, 1, {-5000000, -1}, ... ) == 0x102
 00839   456   NtQuerySystemTime  (... {-558987388, 29884252}, ) == 0x0
 00840   456   NtWaitForSingleObject  (76, 1, {-1, 2147483647}, ...