Summary:


NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtAccessCheck(>)  5 
NtUserRegisterWindowMessage(>)  20 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetStockObject(>)  5 
NtWaitForSingleObject(>)  20 

NtCreateMutant(>)  1 
NtOpenEvent(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtQueryInformationFile(>)  21 

NtCreateProcessEx(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtOpenThreadToken(>)  6 
NtQueryInformationProcess(>)  22 

NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryDirectoryFile(>)  7 
NtCreateEvent(>)  26 

NtFsControlFile(>)  1 
NtReadVirtualMemory(>)  2 
NtSetEvent(>)  7 
NtOpenProcessTokenEx(>)  30 

NtGdiCreateBitmap(>)  1 
NtSetEventBoostPriority(>)  2 
NtUserBuildHwndList(>)  7 
NtOpenThreadTokenEx(>)  30 

NtGdiCreatePatternBrushInternal(>)  1 
NtClearEvent(>)  3 
NtOpenMutant(>)  8 
NtCreateSection(>)  31 

NtGdiInit(>)  1 
NtContinue(>)  3 
NtQueryVolumeInformationFile(>)  8 
NtFreeVirtualMemory(>)  34 

NtGdiQueryFontAssocInfo(>)  1 
NtCreateThread(>)  3 
NtCreateKey(>)  9 
NtQueryInformationToken(>)  37 

NtGdiSelectBitmap(>)  1 
NtDelayExecution(>)  3 
NtOpenProcessToken(>)  9 
NtQuerySystemInformation(>)  42 

NtOpenKeyedEvent(>)  1 
NtDuplicateObject(>)  3 
NtSetInformationProcess(>)  9 
NtOpenSection(>)  45 

NtQueryEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserCallNoParam(>)  9 
NtUserGetAtomName(>)  47 

NtQueryInformationJobObject(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtQueryDefaultUILanguage(>)  10 
NtUserUnregisterClass(>)  47 

NtQueryInstallUILanguage(>)  1 
NtNotifyChangeKey(>)  3 
NtReleaseMutant(>)  10 
NtUserFindExistingCursorIcon(>)  50 

NtQueryObject(>)  1 
NtOpenProcess(>)  3 
NtUserGetWindowDC(>)  10 
NtOpenFile(>)  57 

NtQueryTimerResolution(>)  1 
NtReleaseSemaphore(>)  3 
NtCreateSemaphore(>)  11 
NtQueryVirtualMemory(>)  58 

NtReadFile(>)  1 
NtResumeThread(>)  3 
NtEnumerateKey(>)  12 
NtUserRegisterClassExWOW(>)  61 

NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtUserCallOneParam(>)  12 
NtMapViewOfSection(>)  63 

NtTerminateThread(>)  1 
NtTerminateProcess(>)  3 
NtUserSystemParametersInfo(>)  12 
NtQueryAttributesFile(>)  74 

NtUserBuildNameList(>)  1 
NtTestAlert(>)  3 
NtSetInformationThread(>)  13 
NtFlushInstructionCache(>)  132 

NtUserCloseDesktop(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryDebugFilterState(>)  17 
NtAllocateVirtualMemory(>)  144 

NtUserGetDC(>)  1 
NtWaitForMultipleObjects(>)  3 
NtDeviceIoControlFile(>)  18 
NtUserValidateHandleSecure(>)  154 

NtUserGetGUIThreadInfo(>)  1 
NtQueryInformationThread(>)  4 
NtQuerySection(>)  18 
NtUserQueryWindow(>)  188 

NtUserGetObjectInformation(>)  1 
NtQueryPerformanceCounter(>)  4 
NtUnmapViewOfSection(>)  18 
NtProtectVirtualMemory(>)  271 

NtUserGetThreadDesktop(>)  1 
NtRegisterThreadTerminatePort(>)  4 
NtRequestWaitReplyPort(>)  19 
NtOpenKey(>)  306 

NtConnectPort(>)  2 
NtSetValueKey(>)  4 
NtCreateFile(>)  20 
NtClose(>)  348 

NtDuplicateToken(>)  2 
NtWriteFile(>)  4 
NtQueryDefaultLocale(>)  20 
NtQueryValueKey(>)  424 

NtGdiCreateSolidBrush(>)  2 
NtWriteVirtualMemory(>)  4 
NtSetInformationFile(>)  20 

Trace:
 00001  2020   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  2020   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  2020   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 1310720, 4096, ) == 0x0
 00006  2020   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00008  2020   NtAllocateVirtualMemory  (-1, 1376256, 0, 10248, 4096, 4, ... 1376256, 12288, ) == 0x0
 00009  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00010  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00011  2020   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00012  2020   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00013  2020   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00014  2020   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00015  2020   NtClose  (12, ... ) == 0x0
 00016  2020   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00017  2020   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00018  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00019  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00020  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00021  2020   NtClose  (16, ... ) == 0x0
 00022  2020   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00023  2020   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00024  2020   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00025  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00026  2020   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00027  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00028  2020   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00029  2020   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1313584, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2490368, 19267584}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1313584, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2490368, 19267584}, {0, 0, 0}, 200, 44, ) == 0x0
 00030  2020   NtClose  (16, ... ) == 0x0
 00031  2020   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00032  2020   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00033  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00034  2020   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00035  2020   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00036  2020   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6&\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" ... {28, 56, reply, 0, 868, 2020, 75550, 0} "P\14\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" )  ... {28, 56, reply, 0, 868, 2020, 75550, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6&\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" ... {28, 56, reply, 0, 868, 2020, 75550, 0} "P\14\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" )  ) == 0x0
 00037  2020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00038  2020   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00039  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00040  2020   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00041  2020   NtClose  (16, ... ) == 0x0
 00042  2020   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00043  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00044  2020   NtClose  (16, ... ) == 0x0
 00045  2020   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00046  2020   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00047  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 249856, ) == 0x0
 00048  2020   NtClose  (16, ... ) == 0x0
 00049  2020   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00050  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00051  2020   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00052  2020   NtClose  (16, ... ) == 0x0
 00053  2020   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00054  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00055  2020   NtClose  (16, ... ) == 0x0
 00056  2020   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00057  2020   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  2020   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00059  2020   NtAllocateVirtualMemory  (-1, 2494464, 0, 8192, 4096, 4, ... 2494464, 8192, ) == 0x0
 00060  2020   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6&\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" ... {24, 52, reply, 0, 868, 2020, 75571, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" )  ... {24, 52, reply, 0, 868, 2020, 75571, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6&\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" ... {24, 52, reply, 0, 868, 2020, 75571, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" )  ) == 0x0
 00061  2020   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6&\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" ... {28, 56, reply, 0, 868, 2020, 75572, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" )  ... {28, 56, reply, 0, 868, 2020, 75572, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6&\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" ... {28, 56, reply, 0, 868, 2020, 75572, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" )  ) == 0x0
 00062  2020   NtProtectVirtualMemory  (-1, (0x845000), 221184, 4, ... (0x845000), 221184, 128, ) == 0x0
 00063  2020   NtProtectVirtualMemory  (-1, (0x845000), 221184, 128, ... (0x845000), 221184, 8, ) == 0x0
 00064  2020   NtFlushInstructionCache  (-1, 8671232, 221184, ... ) == 0x0
 00065  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.DLL"}, ... 16, ) }, ... 16, ) == 0x0
 00066  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00067  2020   NtClose  (16, ... ) == 0x0
 00068  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00069  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00070  2020   NtClose  (16, ... ) == 0x0
 00071  2020   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00072  2020   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00073  2020   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00074  2020   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00075  2020   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00076  2020   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00077  2020   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00078  2020   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00079  2020   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00080  2020   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00081  2020   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00082  2020   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00083  2020   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00084  2020   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00085  2020   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00086  2020   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00087  2020   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00088  2020   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00089  2020   NtProtectVirtualMemory  (-1, (0x845000), 221184, 4, ... (0x845000), 221184, 128, ) == 0x0
 00090  2020   NtProtectVirtualMemory  (-1, (0x845000), 221184, 128, ... (0x845000), 221184, 8, ) == 0x0
 00091  2020   NtFlushInstructionCache  (-1, 8671232, 221184, ... ) == 0x0
 00092  2020   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00093  2020   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00094  2020   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00095  2020   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00096  2020   NtClose  (16, ... ) == 0x0
 00097  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00098  2020   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00099  2020   NtClose  (16, ... ) == 0x0
 00100  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00103  2020   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 2012282880, 2090320576, 1242028}  (24, {28, 56, new_msg, 0, 2089900645, 2012282880, 2090320576, 1242028} "\210\6&\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6&\1$\1\0\0" ... {28, 56, reply, 0, 868, 2020, 75637, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6&\1$\1\0\0" )  ... {28, 56, reply, 0, 868, 2020, 75637, 0}  (24, {28, 56, new_msg, 0, 2089900645, 2012282880, 2090320576, 1242028} "\210\6&\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6&\1$\1\0\0" ... {28, 56, reply, 0, 868, 2020, 75637, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6&\1$\1\0\0" )  ) == 0x0
 00104  2020   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00105  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00106  2020   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  2020   NtClose  (16, ... ) == 0x0
 00108  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00109  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00110  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00111  2020   NtClose  (16, ... ) == 0x0
 00112  2020   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 110592, ) == 0x0
 00113  2020   NtClose  (28, ... ) == 0x0
 00114  2020   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00115  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00116  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00117  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00118  2020   NtClose  (28, ... ) == 0x0
 00119  2020   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 110592, ) == 0x0
 00120  2020   NtClose  (16, ... ) == 0x0
 00121  2020   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00122  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00123  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00124  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00125  2020   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00126  2020   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00127  2020   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00128  2020   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00130  2020   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00131  2020   NtClose  (36, ... ) == 0x0
 00132  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00133  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00134  2020   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00135  2020   NtClose  (36, ... ) == 0x0
 00136  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137  2020   NtClose  (32, ... ) == 0x0
 00138  2020   NtClose  (16, ... ) == 0x0
 00139  2020   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00140  2020   NtClose  (28, ... ) == 0x0
 00141  2020   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00142  2020   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00143  2020   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00144  2020   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  2020   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  2020   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  2020   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  2020   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  2020   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00151  2020   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00152  2020   NtClose  (28, ... ) == 0x0
 00153  2020   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00154  2020   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00155  2020   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00156  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00157  2020   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00158  2020   NtClose  (28, ... ) == 0x0
 00159  2020   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00160  2020   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00161  2020   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00162  2020   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00163  2020   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  2020   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  2020   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  2020   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  2020   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  2020   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  2020   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00170  2020   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00171  2020   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00172  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173  2020   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00174  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00176  2020   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00177  2020   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00178  2020   NtClose  (28, ... ) == 0x0
 00179  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00180  2020   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181  2020   NtClose  (28, ... ) == 0x0
 00182  2020   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00183  2020   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00184  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00187  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00188  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00191  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00193  2020   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194  2020   NtClose  (16, ... ) == 0x0
 00195  2020   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 1060864, ) == 0x0
 00196  2020   NtClose  (-2147482576, ... ) == 0x0
 00197  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00198  2020   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00199  2020   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00200  2020   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00201  2020   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00202  2020   NtClose  (-2147482576, ... ) == 0x0
 00203  2020   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 10027008, 4096, ) == 0x0
 00204  2020   NtFreeVirtualMemory  (-1, (0x990000), 4096, 32768, ... (0x990000), 4096, ) == 0x0
 00205  2020   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00206  2020   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00207  2020   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208  2020   NtClose  (-2147482576, ... ) == 0x0
 00209  2020   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00210  2020   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  2020   NtClose  (-2147482576, ... ) == 0x0
 00212  2020   NtQueryDefaultLocale  (0, -142005940, ... ) == 0x0
 00213  2020   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00214  2020   NtUserCallNoParam  (24, ... ) == 0x0
 00215  2020   NtGdiCreateCompatibleDC  (0, ...
 00216  2020   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10027008, 4096, ) == 0x0
 00215  2020   NtGdiCreateCompatibleDC  ... ) == 0xa3010623
 00217  2020   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00218  2020   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00219  2020   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x7405062f
 00220  2020   NtGdiCreateSolidBrush  (0, 0, ...
 00221  2020   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13238272, 4096, ) == 0x0
 00220  2020   NtGdiCreateSolidBrush  ... ) == 0xa6100656
 00222  2020   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00223  2020   NtGdiCreateCompatibleDC  (0, ... ) == 0x920104fb
 00224  2020   NtGdiSelectBitmap  (-1845426949, 1946486319, ... ) == 0x185000f
 00225  2020   NtUserGetThreadDesktop  (2020, 0, ... ) == 0x24
 00226  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00227  2020   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00228  2020   NtClose  (44, ... ) == 0x0
 00229  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00230  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x819fc017
 00231  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00232  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x819fc01c
 00233  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00234  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x819fc01e
 00235  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00236  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x819f8002
 00237  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00238  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x819fc018
 00239  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00240  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x819fc01a
 00241  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00242  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x819fc01d
 00243  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00244  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x819fc026
 00245  2020   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00246  2020   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x819fc019
 00247  2020   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x819fc020
 00248  2020   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x819fc022
 00249  2020   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x819fc023
 00250  2020   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x819fc024
 00251  2020   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x819fc025
 00252  2020   NtCallbackReturn  (0, 0, 0, ...
 00253  2020   NtGdiInit  (... ) == 0x1
 00254  2020   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00255  2020   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00256  2020   NtTestAlert  (... ) == 0x0
 00257  2020   NtContinue  (1244464, 1, ...
 00258  2020   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4012f2,}, 4, ... ) == 0x0
 00259  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00260  2020   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00261  2020   NtClose  (44, ... ) == 0x0
 00262  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00263  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00264  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00265  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00266  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00267  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00268  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00269  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00270  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00271  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00272  2020   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00273  2020   NtClose  (44, ... ) == 0x0
 00274  2020   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00275  2020   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00276  2020   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00277  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00278  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00279  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00280  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00281  2020   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00282  2020   NtClose  (44, ... ) == 0x0
 00283  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00284  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00285  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00286  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00287  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00288  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00289  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00290  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00291  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00292  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00293  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00294  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00295  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00296  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00297  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00298  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00299  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00300  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00301  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00302  2020   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00303  2020   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00304  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00305  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00306  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00307  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00308  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00309  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00310  2020   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00311  2020   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00312  2020   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00313  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00315  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13303808, 65536, ) == 0x0
 00316  2020   NtAllocateVirtualMemory  (-1, 13303808, 0, 4096, 4096, 4, ... 13303808, 4096, ) == 0x0
 00317  2020   NtAllocateVirtualMemory  (-1, 13307904, 0, 8192, 4096, 4, ... 13307904, 8192, ) == 0x0
 00318  2020   NtAllocateVirtualMemory  (-1, 13316096, 0, 4096, 4096, 4, ... 13316096, 4096, ) == 0x0
 00319  2020   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00320  2020   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xcc0000), 0x0, 12288, ) == 0x0
 00321  2020   NtClose  (44, ... ) == 0x0
 00322  2020   NtAllocateVirtualMemory  (-1, 13320192, 0, 4096, 4096, 4, ... 13320192, 4096, ) == 0x0
 00323  2020   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00324  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00325  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00326  2020   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00327  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00328  2020   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00329  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00330  2020   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\364\307\3]\220\30\2130g)!"\310M\357}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \310M\357}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 00331  2020   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00332  2020   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00333  2020   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00334  2020   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00335  2020   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00336  2020   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00337  2020   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00338  2020   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00339  2020   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\10\13\237\365\207\377Pu*\16\3556\370\212\237lA\350:s\340X\304\330\10\5~\270\342\21\362\265,\227\31:\35{\357\214^\317\375\305\224x\214A\234\35\225\251\201\355\214\304R\322\317\273AE,y.\15Q\23x\343\200\254\234N\177\351\206 \245\355", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\10\13\237\365\207\377Pu*\16\3556\370\212\237lA\350:s\340X\304\330\10\5~\270\342\21\362\265,\227\31:\35{\357\214^\317\375\305\224x\214A\234\35\225\251\201\355\214\304R\322\317\273AE,y.\15Q\23x\343\200\254\234N\177\351\206 \245\355", 80, ... ) , 80, ... ) == 0x0
 00340  2020   NtClose  (-2147482576, ... ) == 0x0
 00330  2020   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\357\357\304\275\321s\211H\W[\371\200\5\317\33\31\274\332DON6;\234\5`*KE$`\371\370\207\310V\310\265\33s\37-\2700\312\235\244\313\6\315<\272\36\274N^p\352\217\245Y\274y^\211\320!\2VG\365t\263\14\211\2335\330\201\227\336\325\340/\330\345\377\20G$qC\N\11\335\217\7//\236\315D\265e\336[\21\315]^\15b\242a\262\310\310\267ln\253+[\235\226\24\237\361\177R\361]\35\354\213{=\340\247\246\277\330\216\3(Q\343JE\17\360\25\351\377`Bo*E\357a?R\220\314/\237\25\274SCXI\3\323\27\303\223S\345\4\307\37X\372\214\316s?v\230\34{\25v7w\240\267i\341P\306\1Wv\205\3604iUD\244\353\246\356\14\370_ZnG\311\330\207S]N|\211\343\266\3444\3162\25U\317\331i\21@G\244\256z\255U\245\333\266(\300", ) , ) == 0x0
 00341  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00342  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00343  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00344  2020   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00345  2020   NtClose  (48, ... ) == 0x0
 00346  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00347  2020   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00348  2020   NtClose  (48, ... ) == 0x0
 00349  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00350  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00351  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00352  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00353  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00354  2020   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00355  2020   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356  2020   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357  2020   NtClose  (48, ... ) == 0x0
 00358  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00359  2020   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360  2020   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361  2020   NtClose  (48, ... ) == 0x0
 00362  2020   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00363  2020   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365  2020   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00366  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00367  2020   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369  2020   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00370  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00371  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00372  2020   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00373  2020   NtClose  (52, ... ) == 0x0
 00374  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00375  2020   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00376  2020   NtOpenKey  (0xf0019, {24, 52, 0x40, 0, 0,  (0xf0019, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377  2020   NtOpenKey  (0xf0019, {24, 28, 0x40, 0, 0,  (0xf0019, {24, 28, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378  2020   NtOpenKey  (0xf0019, {24, 52, 0x40, 0, 0,  (0xf0019, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379  2020   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00380  2020   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00381  2020   NtClose  (56, ... ) == 0x0
 00382  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1310704, 4096, 4, ... 13434880, 1310720, ) == 0x0
 00383  2020   NtUserCallNoParam  (29, ...
 00384  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242280, ... ) }, 1242280, ... ) == 0x0
 00385  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00386  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00387  2020   NtClose  (56, ... ) == 0x0
 00388  2020   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe10000), 0x0, 221184, ) == 0x0
 00389  2020   NtClose  (60, ... ) == 0x0
 00390  2020   NtUnmapViewOfSection  (-1, 0xe10000, ... ) == 0x0
 00391  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1242588, ... ) }, 1242588, ... ) == 0x0
 00392  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00393  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00394  2020   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00395  2020   NtClose  (60, ... ) == 0x0
 00396  2020   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00397  2020   NtClose  (56, ... ) == 0x0
 00398  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00399  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00400  2020   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00401  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00402  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00403  2020   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00404  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00405  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00406  2020   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00407  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00408  2020   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00409  2020   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00410  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00412  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00413  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00414  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00415  2020   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00416  2020   NtClose  (56, ... ) == 0x0
 00417  2020   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00418  2020   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 60, ) }, ... 60, ) == 0x0
 00419  2020   NtQueryValueKey  (60,  (60, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00420  2020   NtClose  (60, ... ) == 0x0
 00421  2020   NtClose  (56, ... ) == 0x0
 00422  2020   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00423  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00424  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00425  2020   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00426  2020   NtClose  (56, ... ) == 0x0
 00427  2020   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00428  2020   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 60, ) }, ... 60, ) == 0x0
 00429  2020   NtQueryValueKey  (60,  (60, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430  2020   NtClose  (60, ... ) == 0x0
 00431  2020   NtClose  (56, ... ) == 0x0
 00432  2020   NtUserGetProcessWindowStation  (... ) == 0x20
 00433  2020   NtUserGetObjectInformation  (32, 2, 1244376, 64, 1244372, ... ) == 0x1
 00434  2020   NtUserGetGUIThreadInfo  (2020, 1244396, ... ) == 0x1
 00435  2020   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1244240, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1244240, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00436  2020   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 868, 2020, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 868, 2020, 75647, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 868, 2020, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00437  2020   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 868, 2020, 75648, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 868, 2020, 75648, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 868, 2020, 75648, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00438  2020   NtUserCallNoParam  (29, ...
 00439  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 00438  2020   NtUserCallNoParam  ... ) == 0x0
 00440  2020   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00441  2020   NtGdiHfontCreate  (1243764, 356, 0, 0, 1394480, ... ) == 0x310a04e5
 00442  2020   NtGdiHfontCreate  (1243764, 356, 0, 0, 1394472, ... ) == 0x850a07af
 00443  2020   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 868, 2020, 75649, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 868, 2020, 75649, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 868, 2020, 75649, 0} "\0\0\0\0\0\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00444  2020   NtMapViewOfSection  (60, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe10000), {0, 0}, 327680, ) == 0x0
 00445  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00446  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00447  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00448  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00449  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00450  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00451  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00452  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00453  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00454  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00455  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00456  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00457  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00458  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00459  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00460  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00461  2020   NtAllocateVirtualMemory  (-1, 13324288, 0, 4096, 4096, 4, ... 13324288, 4096, ) == 0x0
 00462  2020   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00463  2020   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x5f10056a
 00464  2020   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00465  2020   NtUserCallNoParam  (29, ...
 00466  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241076, ... ) }, 1241076, ... ) == 0x0
 00465  2020   NtUserCallNoParam  ... ) == 0x0
 00467  2020   NtUserCallNoParam  (29, ...
 00468  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241072, ... ) }, 1241072, ... ) == 0x0
 00467  2020   NtUserCallNoParam  ... ) == 0x0
 00383  2020   NtUserCallNoParam  ... ) == 0x1
 00469  2020   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 0, 0, ""}, 0, 0, ... 64, ) == 0x0
 00470  2020   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 68, ) == 0x0
 00471  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00472  2020   NtQueryPerformanceCounter  (... {1136155386, 16}, {3579545, 0}, ) == 0x0
 00473  2020   NtQueryPerformanceCounter  (... {1136155584, 16}, {3579545, 0}, ) == 0x0
 00474  2020   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244736,  (0x80100080, {24, 0, 0x40, 0, 1244736, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00475  2020   NtSetInformationFile  (76, 1244856, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00476  2020   NtQueryInformationFile  (76, 1244848, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00477  2020   NtSetInformationFile  (76, 1244848, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00478  2020   NtQueryInformationFile  (76, 1244816, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00479  2020   NtSetInformationFile  (76, 1244848, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00480  2020   NtSetInformationFile  (76, 1244848, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00481  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 1052672, 4, ... 2146107392, 1048576, ) == 0x0
 00482  2020   NtReadFile  (76, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576},  (76, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) \10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0 (76, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) , ) == 0x0
 00483  2020   NtClose  (76, ... ) == 0x0
 00484  2020   NtAllocateVirtualMemory  (-1, 0, 0, 589824, 1052672, 4, ... 2145517568, 589824, ) == 0x0
 00485  2020   NtAllocateVirtualMemory  (-1, 0, 0, 524288, 1052672, 4, ... 2144993280, 524288, ) == 0x0
 00486  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1003520, 4096, 64, ... 15073280, 1003520, ) == 0x0
 00487  2020   NtFreeVirtualMemory  (-1, (0x7fe20000), 0, 32768, ... (0x7fe20000), 589824, ) == 0x0
 00488  2020   NtFreeVirtualMemory  (-1, (0x7fda0000), 0, 32768, ... (0x7fda0000), 524288, ) == 0x0
 00489  2020   NtFreeVirtualMemory  (-1, (0x7feb0000), 0, 32768, ... (0x7feb0000), 1048576, ) == 0x0
 00490  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16121856, 1048576, ) == 0x0
 00491  2020   NtAllocateVirtualMemory  (-1, 17162240, 0, 8192, 4096, 4, ... 17162240, 8192, ) == 0x0
 00492  2020   NtProtectVirtualMemory  (-1, (0x105e000), 4096, 260, ... (0x105e000), 4096, 4, ) == 0x0
 00493  2020   NtCreateThread  (0x1f03ff, 0x0, -1, 1244016, 1243960, 1, ... 76, {868, 120}, ) == 0x0
 00494  2020   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=868,Tid=120,}, 0x0, ) == 0x0
 00495  2020   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244772, 1244776, 32768, 14687264}  (24, {28, 56, new_msg, 0, 1244772, 1244776, 32768, 14687264} "\0\0\0\0\1\0\1\0\371\232\200|\377\377\377\377L\0\0\0d\3\0\0x\0\0\0" ... {28, 56, reply, 0, 868, 2020, 75655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\377\377\377\377L\0\0\0d\3\0\0x\0\0\0" )  ... {28, 56, reply, 0, 868, 2020, 75655, 0}  (24, {28, 56, new_msg, 0, 1244772, 1244776, 32768, 14687264} "\0\0\0\0\1\0\1\0\371\232\200|\377\377\377\377L\0\0\0d\3\0\0x\0\0\0" ... {28, 56, reply, 0, 868, 2020, 75655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\377\377\377\377L\0\0\0d\3\0\0x\0\0\0" )  ) == 0x0
 00496  2020   NtResumeThread  (76, ... 1, ) == 0x0
 00497  2020   NtDelayExecution  (0, {-10000, -1}, ...
 00498   120   NtTestAlert  (... ) == 0x0
 00499   120   NtContinue  (17169712, 1, ...
 00500   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00501   120   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00502   120   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00503   120   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 13314048}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13314048} "\210\6&\1\0\0\0\0x\1\313\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" ... {28, 56, reply, 0, 868, 120, 75656, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" )  ... {28, 56, reply, 0, 868, 120, 75656, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 13314048} "\210\6&\1\0\0\0\0x\1\313\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" ... {28, 56, reply, 0, 868, 120, 75656, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" )  ) == 0x0
 00504   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00505   120   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 80, ) }, ... 80, ) == 0x0
 00506   120   NtQueryValueKey  (80,  (80, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (80, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00507   120   NtClose  (80, ... ) == 0x0
 00508   120   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 80, ) }, ... 80, ) == 0x0
 00509   120   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1060000), 0x0, 90112, ) == 0x0
 00510   120   NtClose  (80, ... ) == 0x0
 00511   120   NtQueryDefaultLocale  (0, 15614888, ... ) == 0x0
 00512   120   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 80, ) }, ... 80, ) == 0x0
 00513   120   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1080000), 0x0, 249856, ) == 0x0
 00514   120   NtClose  (80, ... ) == 0x0
 00515   120   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 80, ) }, ... 80, ) == 0x0
 00516   120   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x10c0000), 0x0, 266240, ) == 0x0
 00517   120   NtQuerySection  (80, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00518   120   NtClose  (80, ... ) == 0x0
 00519   120   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 80, ) }, ... 80, ) == 0x0
 00520   120   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1110000), 0x0, 24576, ) == 0x0
 00521   120   NtClose  (80, ... ) == 0x0
 00522   120   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00523   120   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   120   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   120   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6&\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" ... {24, 52, reply, 0, 868, 120, 75657, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" )  ... {24, 52, reply, 0, 868, 120, 75657, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6&\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" ... {24, 52, reply, 0, 868, 120, 75657, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" )  ) == 0x0
 00526   120   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 15615648, 1396088, 0, 0}  (24, {28, 56, new_msg, 0, 15615648, 1396088, 0, 0} "\210\6&\1\0\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\234\6&\18\6\0\0" ... {28, 56, reply, 0, 868, 120, 75658, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\234\6&\18\6\0\0" )  ... {28, 56, reply, 0, 868, 120, 75658, 0}  (24, {28, 56, new_msg, 0, 15615648, 1396088, 0, 0} "\210\6&\1\0\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\234\6&\18\6\0\0" ... {28, 56, reply, 0, 868, 120, 75658, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\5\0\0\0\2\0\0\0\234\6&\18\6\0\0" )  ) == 0x0
 00527   120   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00528   120   NtTerminateThread  (0, 0, ...
 00529   120   NtFreeVirtualMemory  (-1, (0xf60000), 0, 32768, ... (0xf60000), 1048576, ) == 0x0
 00497  2020   NtDelayExecution  ... ) == 0x0
 00530  2020   NtQueryInformationThread  (76, Basic, 28, ... {ExitStatus=0x0,TebBaseAddress=0x0,Pid=868,Tid=120,}, 0x0, ) == 0x0
 00531  2020   NtAllocateVirtualMemory  (-1, 1400832, 0, 12288, 4096, 4, ... 1400832, 12288, ) == 0x0
 00532  2020   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00533  2020   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00534  2020   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 00535  2020   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 00536  2020   NtAllocateVirtualMemory  (-1, 1208320, 0, 4096, 4096, 260, ... 1208320, 4096, ) == 0x0
 00537  2020   NtAllocateVirtualMemory  (-1, 1204224, 0, 4096, 4096, 260, ... 1204224, 4096, ) == 0x0
 00538  2020   NtAllocateVirtualMemory  (-1, 1200128, 0, 4096, 4096, 260, ... 1200128, 4096, ) == 0x0
 00539  2020   NtAllocateVirtualMemory  (-1, 1196032, 0, 4096, 4096, 260, ... 1196032, 4096, ) == 0x0
 00540  2020   NtAllocateVirtualMemory  (-1, 1191936, 0, 4096, 4096, 260, ... 1191936, 4096, ) == 0x0
 00541  2020   NtAllocateVirtualMemory  (-1, 1187840, 0, 4096, 4096, 260, ... 1187840, 4096, ) == 0x0
 00542  2020   NtAllocateVirtualMemory  (-1, 1183744, 0, 4096, 4096, 260, ... 1183744, 4096, ) == 0x0
 00543  2020   NtAllocateVirtualMemory  (-1, 1179648, 0, 4096, 4096, 260, ... 1179648, 4096, ) == 0x0
 00544  2020   NtAllocateVirtualMemory  (-1, 1175552, 0, 4096, 4096, 260, ... 1175552, 4096, ) == 0x0
 00545  2020   NtAllocateVirtualMemory  (-1, 1171456, 0, 4096, 4096, 260, ... 1171456, 4096, ) == 0x0
 00546  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 80, {status=0x0, info=1}, ) }, 3, 16417, ... 80, {status=0x0, info=1}, ) == 0x0
 00547  2020   NtQueryInformationFile  (80, 1243908, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00548  2020   NtQueryVolumeInformationFile  (80, 1399280, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00549  2020   NtClose  (80, ... ) == 0x0
 00550  2020   NtOpenProcess  (0x1f0fff, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 80, ) == 0x0
 00551  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242940, ... ) }, 1242940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242940, ... ) }, 1242940, ... ) == 0x0
 00554  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00555  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 00556  2020   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00557  2020   NtClose  (84, ... ) == 0x0
 00558  2020   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00559  2020   NtClose  (88, ... ) == 0x0
 00560  2020   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00561  2020   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00562  2020   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00563  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242124, ... ) }, 1242124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242124, ... ) }, 1242124, ... ) == 0x0
 00566  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00567  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 84, ) == 0x0
 00568  2020   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00569  2020   NtClose  (88, ... ) == 0x0
 00570  2020   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00571  2020   NtClose  (84, ... ) == 0x0
 00572  2020   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00573  2020   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00574  2020   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00575  2020   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00576  2020   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00577  2020   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00578  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00581  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00582  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00583  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16121856, 65536, ) == 0x0
 00584  2020   NtAllocateVirtualMemory  (-1, 16121856, 0, 4096, 4096, 4, ... 16121856, 4096, ) == 0x0
 00585  2020   NtAllocateVirtualMemory  (-1, 16125952, 0, 4096, 4096, 4, ... 16125952, 4096, ) == 0x0
 00586  2020   NtAllocateVirtualMemory  (-1, 16130048, 0, 4096, 4096, 4, ... 16130048, 4096, ) == 0x0
 00587  2020   NtQueryVirtualMemory  (-1, 0x42573c, Basic, 28, ... {BaseAddress=0x425000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x3000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00588  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00589  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00590  2020   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00591  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00592  2020   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00593  2020   NtClose  (84, ... ) == 0x0
 00594  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00595  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00596  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00597  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00598  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00599  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00600  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00601  2020   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00602  2020   NtClose  (84, ... ) == 0x0
 00603  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00604  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00605  2020   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00606  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00607  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00608  2020   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00609  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00610  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00611  2020   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00612  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00613  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00614  2020   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00615  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00616  2020   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00617  2020   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00618  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00619  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00620  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00621  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00622  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00623  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00624  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00625  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00626  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00627  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00628  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00629  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00630  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00631  2020   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xf70000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 00632  2020   NtProtectVirtualMemory  (-1, (0xf71000), 18944, 4, ... (0xf71000), 20480, 32, ) == 0x0
 00633  2020   NtProtectVirtualMemory  (-1, (0xf77000), 1024, 4, ... (0xf77000), 4096, 2, ) == 0x0
 00634  2020   NtProtectVirtualMemory  (-1, (0xf78000), 1536, 4, ... (0xf78000), 4096, 2, ) == 0x0
 00635  2020   NtMapViewOfSection  (84, -1, (0xf70000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00636  2020   NtProtectVirtualMemory  (-1, (0xf71000), 18944, 16, ... (0xf71000), 20480, 4, ) == 0x0
 00637  2020   NtProtectVirtualMemory  (-1, (0xf77000), 1024, 2, ... (0xf77000), 4096, 8, ) == 0x0
 00638  2020   NtProtectVirtualMemory  (-1, (0xf78000), 1536, 2, ... (0xf78000), 4096, 8, ) == 0x0
 00639  2020   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00640  2020   NtClose  (84, ... ) == 0x0
 00641  2020   NtProtectVirtualMemory  (-1, (0xf71000), 160, 4, ... (0xf71000), 4096, 16, ) == 0x0
 00642  2020   NtProtectVirtualMemory  (-1, (0xf71000), 4096, 16, ... (0xf71000), 4096, 4, ) == 0x0
 00643  2020   NtFlushInstructionCache  (-1, 16191488, 160, ... ) == 0x0
 00644  2020   NtProtectVirtualMemory  (-1, (0xf71000), 160, 4, ... (0xf71000), 4096, 16, ) == 0x0
 00645  2020   NtProtectVirtualMemory  (-1, (0xf71000), 4096, 16, ... (0xf71000), 4096, 4, ) == 0x0
 00646  2020   NtFlushInstructionCache  (-1, 16191488, 160, ... ) == 0x0
 00647  2020   NtProtectVirtualMemory  (-1, (0xf71000), 160, 4, ... (0xf71000), 4096, 16, ) == 0x0
 00648  2020   NtProtectVirtualMemory  (-1, (0xf71000), 4096, 16, ... (0xf71000), 4096, 4, ) == 0x0
 00649  2020   NtFlushInstructionCache  (-1, 16191488, 160, ... ) == 0x0
 00650  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00651  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00652  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00653  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00654  2020   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00655  2020   NtClose  (84, ... ) == 0x0
 00656  2020   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00657  2020   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00658  2020   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00659  2020   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00660  2020   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00661  2020   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00662  2020   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00663  2020   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00664  2020   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00665  2020   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00666  2020   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00667  2020   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00668  2020   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00669  2020   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00670  2020   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00671  2020   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00672  2020   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00673  2020   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00674  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00675  2020   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00676  2020   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00677  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678  2020   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00679  2020   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1399888, 0,  (0x1f0003, {24, 48, 0x80, 1399888, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 84, ) }, 0, 2147483647, ... 84, ) == STATUS_OBJECT_NAME_EXISTS
 00680  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00682  2020   NtQueryPerformanceCounter  (... {1136536438, 16}, {3579545, 0}, ) == 0x0
 00683  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininet.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00684  2020   NtQueryPerformanceCounter  (... {1136536748, 16}, {3579545, 0}, ) == 0x0
 00685  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00686  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17956864, 1048576, ) == 0x0
 00687  2020   NtAllocateVirtualMemory  (-1, 17956864, 0, 4096, 4096, 4, ... 17956864, 4096, ) == 0x0
 00688  2020   NtAllocateVirtualMemory  (-1, 17960960, 0, 8192, 4096, 4, ... 17960960, 8192, ) == 0x0
 00689  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00690  2020   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239844,  (0xc0100080, {24, 0, 0x40, 0, 1239844, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 92, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 92, {status=0x0, info=0}, ) == 0x0
 00691  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00692  2020   NtDeviceIoControlFile  (92, 96, 0x0, 0x12eb84, 0x22414c,  (92, 96, 0x0, 0x12eb84, 0x22414c, "\314\353\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00693  2020   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00694  2020   NtQueryValueKey  (-2147482576,  (-2147482576, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695  2020   NtQueryValueKey  (-2147482576,  (-2147482576, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00696  2020   NtClose  (-2147482576, ... ) == 0x0
 00697  2020   NtClose  (1072, ... ) == 0x0
 00692  2020   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "0\253\235\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#Seed\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00698  2020   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240060,  (0xc0100080, {24, 0, 0x40, 0, 1240060, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00699  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00700  2020   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 112, ) == 0x0
 00701  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00702  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00703  2020   NtAllocateVirtualMemory  (-1, 17969152, 0, 8192, 4096, 4, ... 17969152, 8192, ) == 0x0
 00704  2020   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19005440, 1048576, ) == 0x0
 00705  2020   NtAllocateVirtualMemory  (-1, 20045824, 0, 8192, 4096, 4, ... 20045824, 8192, ) == 0x0
 00706  2020   NtProtectVirtualMemory  (-1, (0x131e000), 4096, 260, ... (0x131e000), 4096, 4, ) == 0x0
 00707  2020   NtCreateThread  (0x1f03ff, 0x0, -1, 1239144, 1239088, 1, ... 124, {868, 928}, ) == 0x0
 00708  2020   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=868,Tid=928,}, 0x0, ) == 0x0
 00709  2020   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 17957240}  (24, {28, 56, new_msg, 0, 0, 0, 0, 17957240} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0|\0\0\0d\3\0\0\240\3\0\0" ... {28, 56, reply, 0, 868, 2020, 75661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0|\0\0\0d\3\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 868, 2020, 75661, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 17957240} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0|\0\0\0d\3\0\0\240\3\0\0" ... {28, 56, reply, 0, 868, 2020, 75661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0|\0\0\0d\3\0\0\240\3\0\0" )  ) == 0x0
 00710  2020   NtResumeThread  (124, ... 1, ) == 0x0
 00711  2020   NtClose  (124, ... ) == 0x0
 00712   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 124, ) == 0x0
 00713   928   NtWaitForSingleObject  (124, 0, 0x0, ...
 00714  2020   NtSetEvent  (108, ... 0x0, ) == 0x0
 00715  2020   NtSetEvent  (88, ... 0x0, ) == 0x0
 00716  2020   NtClose  (88, ... ) == 0x0
 00717  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00718  2020   NtAllocateVirtualMemory  (-1, 17977344, 0, 4096, 4096, 4, ... 17977344, 4096, ) == 0x0
 00719  2020   NtDeviceIoControlFile  (92, 96, 0x0, 0x12eb84, 0x22414c,  (92, 96, 0x0, 0x12eb84, 0x22414c, "\314\353\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00720  2020   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00721  2020   NtQueryValueKey  (-2147482576,  (-2147482576, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00722  2020   NtQueryValueKey  (-2147482576,  (-2147482576, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723  2020   NtClose  (-2147482576, ... ) == 0x0
 00724  2020   NtClose  (1072, ... ) == 0x0
 00719  2020   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\270\237\356\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\10\220h\341\20\7\7\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00725  2020   NtSetEvent  (108, ... 0x0, ) == 0x0
 00726  2020   NtSetEvent  (88, ... 0x0, ) == 0x0
 00727  2020   NtClose  (88, ... ) == 0x0
 00728  2020   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00729  2020   NtOpenProcessToken  (-1, 0xa, ... 88, ) == 0x0
 00730  2020   NtDuplicateToken  (88, 0xc, {24, 0, 0x0, 0, 1240328, 0x0}, 0, 2, ... 132, ) == 0x0
 00731  2020   NtClose  (88, ... ) == 0x0
 00732  2020   NtAccessCheck  (1405712, 132, 0x1, 1240404, 1240456, 56, 1240436, ... (0x1), ) == 0x0
 00733  2020   NtClose  (132, ... ) == 0x0
 00734  2020   NtQueryDefaultUILanguage  (1239208, ...
 00735  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00736  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00737  2020   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00738  2020   NtClose  (-2147482576, ... ) == 0x0
 00739  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00740  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482648, ) }, ... -2147482648, ) == 0x0
 00742  2020   NtQueryValueKey  (-2147482648,  (-2147482648, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743  2020   NtClose  (-2147482648, ... ) == 0x0
 00744  2020   NtClose  (-2147482576, ... ) == 0x0
 00734  2020   NtQueryDefaultUILanguage  ... ) == 0x0
 00745  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00746  2020   NtQueryDefaultUILanguage  (2090319928, ...
 00747  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00748  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00749  2020   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00750  2020   NtClose  (-2147482576, ... ) == 0x0
 00751  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00752  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482648, ) }, ... -2147482648, ) == 0x0
 00754  2020   NtQueryValueKey  (-2147482648,  (-2147482648, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00755  2020   NtClose  (-2147482648, ... ) == 0x0
 00756  2020   NtClose  (-2147482576, ... ) == 0x0
 00746  2020   NtQueryDefaultUILanguage  ... ) == 0x0
 00757  2020   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00758  2020   NtQueryDefaultLocale  (1, 1237304, ... ) == 0x0
 00759  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760  2020   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75662, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 868, 2020, 75662, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75662, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ) == 0x0
 00761  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00762  2020   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00764  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00765  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236532, ... ) }, 1236532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00767  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00768  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00769  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1236596, ... ) }, 1236596, ... ) == 0x0
 00770  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 132, {status=0x0, info=1}, ) }, 3, 33, ... 132, {status=0x0, info=1}, ) == 0x0
 00771  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00772  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00773  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 136, ) == 0x0
 00774  2020   NtClose  (88, ... ) == 0x0
 00775  2020   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1320000), 0x0, 1056768, ) == 0x0
 00776  2020   NtClose  (136, ... ) == 0x0
 00777  2020   NtUnmapViewOfSection  (-1, 0x1320000, ... ) == 0x0
 00778  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00779  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 88, ) == 0x0
 00780  2020   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00781  2020   NtClose  (136, ... ) == 0x0
 00782  2020   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00783  2020   NtClose  (88, ... ) == 0x0
 00784  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00785  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00786  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00787  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00788  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00789  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00790  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00791  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00792  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00793  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00794  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00795  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00796  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00797  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00798  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00799  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00800  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00801  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00802  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00803  2020   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00804  2020   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00805  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806  2020   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238076, ... ) , 42, 1238076, ... ) == 0x0
 00807  2020   NtQueryDefaultUILanguage  (1236760, ...
 00808  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00809  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00810  2020   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00811  2020   NtClose  (-2147482576, ... ) == 0x0
 00812  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00813  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482648, ) }, ... -2147482648, ) == 0x0
 00815  2020   NtQueryValueKey  (-2147482648,  (-2147482648, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00816  2020   NtClose  (-2147482648, ... ) == 0x0
 00817  2020   NtClose  (-2147482576, ... ) == 0x0
 00807  2020   NtQueryDefaultUILanguage  ... ) == 0x0
 00818  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235600, ... ) }, 1235600, ... ) == 0x0
 00819  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00820  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 136, ) == 0x0
 00821  2020   NtClose  (88, ... ) == 0x0
 00822  2020   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf90000), 0x0, 4096, ) == 0x0
 00823  2020   NtClose  (136, ... ) == 0x0
 00824  2020   NtUnmapViewOfSection  (-1, 0xf90000, ... ) == 0x0
 00825  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235196, ... ) }, 1235196, ... ) == 0x0
 00826  2020   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235940,  (0x80100080, {24, 0, 0x40, 0, 1235940, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 00827  2020   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 136, ... 88, ) == 0x0
 00828  2020   NtClose  (136, ... ) == 0x0
 00829  2020   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf90000), {0, 0}, 4096, ) == 0x0
 00830  2020   NtClose  (88, ... ) == 0x0
 00831  2020   NtUnmapViewOfSection  (-1, 0xf90000, ... ) == 0x0
 00832  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 88, {status=0x0, info=1}, ) }, 1, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00833  2020   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 88, ... 136, ) == 0x0
 00834  2020   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xf90000), 0x0, 4096, ) == 0x0
 00835  2020   NtQueryInformationFile  (88, 1235592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00836  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837  2020   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1235892, 1179817, 1235616}  (24, {128, 156, new_msg, 0, 2088850039, 1235892, 1179817, 1235616} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6&\1X\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6&\1\0\0\0\0\0\0\0\0\250\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75663, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6&\1X\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6&\1\0\0\0\0\0\0\0\0\250\337\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 868, 2020, 75663, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1235892, 1179817, 1235616} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6&\1X\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6&\1\0\0\0\0\0\0\0\0\250\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75663, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6&\1X\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6&\1\0\0\0\0\0\0\0\0\250\337\22\0\0\0\0\0" )  ) == 0x0
 00838  2020   NtClose  (88, ... ) == 0x0
 00839  2020   NtClose  (136, ... ) == 0x0
 00840  2020   NtUnmapViewOfSection  (-1, 0xf90000, ... ) == 0x0
 00841  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00842  2020   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00843  2020   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00844  2020   NtUserGetDC  (0, ... ) == 0x1010054
 00845  2020   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00846  2020   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00847  2020   NtUserSystemParametersInfo  (66, 12, 1237592, 0, ... ) == 0x1
 00848  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00849  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00850  2020   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00851  2020   NtClose  (136, ... ) == 0x0
 00852  2020   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 136, ) }, ... 136, ) == 0x0
 00853  2020   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00854  2020   NtAccessCheck  (1405712, 88, 0x1, 1237424, 1237476, 56, 1237456, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00855  2020   NtClose  (88, ... ) == 0x0
 00856  2020   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Control Panel\Desktop"}, ... 88, ) }, ... 88, ) == 0x0
 00857  2020   NtQueryValueKey  (88,  (88, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858  2020   NtClose  (88, ... ) == 0x0
 00859  2020   NtUserSystemParametersInfo  (41, 500, 1237620, 0, ... ) == 0x1
 00860  2020   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00861  2020   NtAccessCheck  (1405712, 88, 0x1, 1237424, 1237476, 56, 1237456, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00862  2020   NtClose  (88, ... ) == 0x0
 00863  2020   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 88, ) }, ... 88, ) == 0x0
 00864  2020   NtQueryValueKey  (88,  (88, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865  2020   NtClose  (88, ... ) == 0x0
 00866  2020   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00867  2020   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00868  2020   NtClose  (136, ... ) == 0x0
 00869  2020   NtUserSystemParametersInfo  (4130, 0, 1238124, 0, ... ) == 0x1
 00870  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 136, ) }, ... 136, ) == 0x0
 00871  2020   NtEnumerateValueKey  (136, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00872  2020   NtClose  (136, ... ) == 0x0
 00873  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00874  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc03b
 00875  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc03d
 00876  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00877  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc03f
 00878  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00879  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc041
 00880  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00881  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc043
 00882  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc045
 00883  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00884  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc047
 00885  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00886  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc049
 00887  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00888  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc04b
 00889  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00890  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc04d
 00891  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00892  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc04f
 00893  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc051
 00894  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00895  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc053
 00896  2020   NtUserFindExistingCursorIcon  (1237368, 1237384, 1237432, ... ) == 0x10011
 00897  2020   NtUserRegisterClassExWOW  (1237312, 1237380, 1237396, 1237412, 0, 384, 0, ... ) == 0x819fc055
 00898  2020   NtUserFindExistingCursorIcon  (1237368, 1237384, 1237432, ... ) == 0x10011
 00899  2020   NtUserRegisterClassExWOW  (1237312, 1237380, 1237396, 1237412, 0, 384, 0, ... ) == 0x819fc057
 00900  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00901  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc059
 00902  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10013
 00903  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc05b
 00904  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00905  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc05d
 00906  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00907  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc05f
 00908  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00909  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc017
 00910  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00911  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc019
 00912  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10013
 00913  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc018
 00914  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00915  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc01a
 00916  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00917  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc01c
 00918  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00919  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc01e
 00920  2020   NtUserFindExistingCursorIcon  (1237364, 1237380, 1237428, ... ) == 0x10011
 00921  2020   NtUserRegisterClassExWOW  (1237364, 1237432, 1237448, 1237464, 0, 384, 0, ... ) == 0x819fc01b
 00922  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00923  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc068
 00924  2020   NtUserFindExistingCursorIcon  (1237372, 1237388, 1237436, ... ) == 0x10011
 00925  2020   NtUserRegisterClassExWOW  (1237316, 1237384, 1237400, 1237416, 0, 384, 0, ... ) == 0x819fc06a
 00926  2020   NtCreateKey  (0x2001f, {24, 52, 0x40, 0, 0,  (0x2001f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 00927  2020   NtSetEventBoostPriority  (124, ...
 00713   928   NtWaitForSingleObject  ... ) == 0x0
 00928   928   NtTestAlert  (... ) == 0x0
 00929   928   NtContinue  (20053296, 1, ...
 00930   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00931   928   NtDeviceIoControlFile  (104, 116, 0x0, 0x77e466a0, 0x228144,  (104, 116, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0p\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0d\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00927  2020   NtSetEventBoostPriority  ... ) == 0x0
 00932  2020   NtQueryValueKey  (136,  (136, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933  2020   NtQueryValueKey  (136,  (136, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 00934  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies"}, ... 88, ) }, ... 88, ) == 0x0
 00935  2020   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Policies"}, ... 140, ) }, ... 140, ) == 0x0
 00936  2020   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software"}, ... }, ...
 00937   928   NtWaitForMultipleObjects  (2, (108, 116, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 00938   928   NtDeviceIoControlFile  (104, 120, 0x0, 0x77e46680, 0x228144,  (104, 120, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0p\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0d\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00939   928   NtWaitForMultipleObjects  (2, (108, 120, ), 1, 1, {1294967296, -1}, ...
 00936  2020   NtOpenKey  ... 144, ) == 0x0
 00940  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software"}, ... 148, ) }, ... 148, ) == 0x0
 00941  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 152, ) }, ... 152, ) == 0x0
 00945  2020   NtQueryValueKey  (152,  (152, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00946  2020   NtClose  (152, ... ) == 0x0
 00947  2020   NtQueryValueKey  (136,  (136, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948  2020   NtQueryValueKey  (136,  (136, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949  2020   NtQueryValueKey  (136,  (136, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950  2020   NtQueryValueKey  (136,  (136, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951  2020   NtQueryValueKey  (136,  (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00952  2020   NtQueryValueKey  (136,  (136, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  2020   NtQueryValueKey  (136,  (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00954  2020   NtQueryValueKey  (136,  (136, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956  2020   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957  2020   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 152, ) }, ... 152, ) == 0x0
 00959  2020   NtQueryValueKey  (152,  (152, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960  2020   NtClose  (152, ... ) == 0x0
 00961  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239848, ... ) }, 1239848, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 1239848, ... ) }, 1239848, ... ) == 0x0
 00964  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 00965  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 156, ) == 0x0
 00966  2020   NtQuerySection  (156, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00967  2020   NtClose  (152, ... ) == 0x0
 00968  2020   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 00969  2020   NtClose  (156, ... ) == 0x0
 00970  2020   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 00971  2020   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 00972  2020   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 00973  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 156, ) == 0x0
 00975  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 152, ) == 0x0
 00976  2020   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 160, ) }, ... 160, ) == 0x0
 00977  2020   NtQueryEvent  (160, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00978  2020   NtClose  (160, ... ) == 0x0
 00979  2020   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241420, 140, ... 160, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241420, 140, ... 160, 0x0, 0x0, 256, 140, ) == 0x0
 00980  2020   NtRequestWaitReplyPort  (160, {28, 52, new_msg, 0, 0, 0, 0, 0}  (160, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\210\6\24\0" ... {188, 212, reply, 0, 868, 2020, 75665, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 868, 2020, 75665, 0}  (160, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\210\6\24\0" ... {188, 212, reply, 0, 868, 2020, 75665, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 00981  2020   NtQueryValueKey  (136,  (136, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982  2020   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 164, ) }, ... 164, ) == 0x0
 00983  2020   NtQueryValueKey  (164,  (164, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  2020   NtClose  (164, ... ) == 0x0
 00985  2020   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 164, ) }, ... 164, ) == 0x0
 00986  2020   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 168, ) }, ... 168, ) == 0x0
 00987  2020   NtOpenKey  (0x9, {24, 52, 0x40, 0, 0,  (0x9, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 172, ) }, ... 172, ) == 0x0
 00988  2020   NtQueryValueKey  (172,  (172, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00989  2020   NtQueryValueKey  (172,  (172, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00990  2020   NtClose  (172, ... ) == 0x0
 00991  2020   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Content"}, ... 172, ) }, ... 172, ) == 0x0
 00992  2020   NtQueryValueKey  (172,  (172, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993  2020   NtOpenKey  (0xf, {24, 164, 0x40, 0, 0,  (0xf, {24, 164, 0x40, 0, 0, "Content"}, ... 176, ) }, ... 176, ) == 0x0
 00994  2020   NtQueryValueKey  (176,  (176, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00995  2020   NtClose  (176, ... ) == 0x0
 00996  2020   NtClose  (172, ... ) == 0x0
 00997  2020   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Content"}, ... 172, ) }, ... 172, ) == 0x0
 00998  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 176, ) }, ... 176, ) == 0x0
 00999  2020   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01000  2020   NtClose  (176, ... ) == 0x0
 01001  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01002  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01003  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01004  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01005  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01006  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01007  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01008  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01009  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01010  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01011  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01012  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01013  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01014  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01015  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01016  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01017  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01018  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01019  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01020  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01021  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01022  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01023  2020   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01024  2020   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01025  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 176, ) }, ... 176, ) == 0x0
 01027  2020   NtQueryValueKey  (176,  (176, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028  2020   NtClose  (176, ... ) == 0x0
 01029  2020   NtQueryDefaultUILanguage  (1236444, ...
 01030  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01031  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01032  2020   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01033  2020   NtClose  (-2147482576, ... ) == 0x0
 01034  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01035  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482648, ) }, ... -2147482648, ) == 0x0
 01037  2020   NtQueryValueKey  (-2147482648,  (-2147482648, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038  2020   NtClose  (-2147482648, ... ) == 0x0
 01039  2020   NtClose  (-2147482576, ... ) == 0x0
 01029  2020   NtQueryDefaultUILanguage  ... ) == 0x0
 01040  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 176, {status=0x0, info=1}, ) }, 1, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01041  2020   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 176, ... 180, ) == 0x0
 01042  2020   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x1320000), 0x0, 8462336, ) == 0x0
 01043  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044  2020   NtQueryDefaultLocale  (1, 1234540, ... ) == 0x0
 01045  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046  2020   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1235576, 1179817, 1235300}  (24, {128, 156, new_msg, 0, 2088850039, 1235576, 1179817, 1235300} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0@ U\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75666, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0@ U\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 868, 2020, 75666, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1235576, 1179817, 1235300} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0@ U\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75666, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0@ U\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6&\1\0\0\0\0\0\0\0\0l\336\22\0\0\0\0\0" )  ) == 0x0
 01047  2020   NtClose  (176, ... ) == 0x0
 01048  2020   NtClose  (180, ... ) == 0x0
 01049  2020   NtUnmapViewOfSection  (-1, 0x1320000, ... ) == 0x0
 01050  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01051  2020   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01053  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01054  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233732, ... ) }, 1233732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01056  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01057  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01058  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1233796, ... ) }, 1233796, ... ) == 0x0
 01059  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 180, {status=0x0, info=1}, ) }, 3, 33, ... 180, {status=0x0, info=1}, ) == 0x0
 01060  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01061  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 176, ) }, ... 176, ) == 0x0
 01062  2020   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01063  2020   NtClose  (176, ... ) == 0x0
 01064  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01065  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01066  2020   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01067  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01068  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01069  2020   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01070  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01071  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01072  2020   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01073  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01074  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01075  2020   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01076  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01077  2020   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01078  2020   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01079  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01081  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16449536, 65536, ) == 0x0
 01082  2020   NtAllocateVirtualMemory  (-1, 16449536, 0, 4096, 4096, 4, ... 16449536, 4096, ) == 0x0
 01083  2020   NtAllocateVirtualMemory  (-1, 16453632, 0, 8192, 4096, 4, ... 16453632, 8192, ) == 0x0
 01084  2020   NtAllocateVirtualMemory  (-1, 16461824, 0, 4096, 4096, 4, ... 16461824, 4096, ) == 0x0
 01085  2020   NtAllocateVirtualMemory  (-1, 16465920, 0, 4096, 4096, 4, ... 16465920, 4096, ) == 0x0
 01086  2020   NtQueryDefaultUILanguage  (1234572, ...
 01087  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01088  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01089  2020   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01090  2020   NtClose  (-2147482576, ... ) == 0x0
 01091  2020   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01092  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093  2020   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482648, ) }, ... -2147482648, ) == 0x0
 01094  2020   NtQueryValueKey  (-2147482648,  (-2147482648, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095  2020   NtClose  (-2147482648, ... ) == 0x0
 01096  2020   NtClose  (-2147482576, ... ) == 0x0
 01086  2020   NtQueryDefaultUILanguage  ... ) == 0x0
 01097  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 176, {status=0x0, info=1}, ) }, 1, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01098  2020   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 176, ... 184, ) == 0x0
 01099  2020   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xfc0000), 0x0, 618496, ) == 0x0
 01100  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101  2020   NtQueryDefaultLocale  (1, 1232668, ... ) == 0x0
 01102  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103  2020   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1233704, 1179817, 1233428}  (24, {128, 156, new_msg, 0, 2088850039, 1233704, 1179817, 1233428} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0\340q\3\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6&\1\0\0\0\0\0\0\0\0\34\327\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75667, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0\340q\3\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6&\1\0\0\0\0\0\0\0\0\34\327\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 868, 2020, 75667, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1233704, 1179817, 1233428} "\210\6&\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0\340q\3\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6&\1\0\0\0\0\0\0\0\0\34\327\22\0\0\0\0\0" ... {128, 156, reply, 0, 868, 2020, 75667, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6&\1\260\0\0\0\377\377\377\377\0\0\0\0\340q\3\1\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6&\1\0\0\0\0\0\0\0\0\34\327\22\0\0\0\0\0" )  ) == 0x0
 01104  2020   NtClose  (176, ... ) == 0x0
 01105  2020   NtClose  (184, ... ) == 0x0
 01106  2020   NtUnmapViewOfSection  (-1, 0xfc0000, ... ) == 0x0
 01107  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01108  2020   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 184, ) == 0x0
 01109  2020   NtQueryInformationProcess  (184, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01110  2020   NtClose  (184, ... ) == 0x0
 01111  2020   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01112  2020   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01113  2020   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01114  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01115  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 184, ) == 0x0
 01116  2020   NtQueryInformationToken  (184, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01117  2020   NtClose  (184, ... ) == 0x0
 01118  2020   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 184, ) }, ... 184, ) == 0x0
 01119  2020   NtOpenProcessToken  (-1, 0x8, ... 176, ) == 0x0
 01120  2020   NtAccessCheck  (1405712, 176, 0x1, 1235764, 1235816, 56, 1235796, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01121  2020   NtClose  (176, ... ) == 0x0
 01122  2020   NtOpenKey  (0x20019, {24, 184, 0x40, 0, 0,  (0x20019, {24, 184, 0x40, 0, 0, "Control Panel\Desktop"}, ... 176, ) }, ... 176, ) == 0x0
 01123  2020   NtQueryValueKey  (176,  (176, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124  2020   NtClose  (176, ... ) == 0x0
 01125  2020   NtUserSystemParametersInfo  (41, 500, 1235944, 0, ... ) == 0x1
 01126  2020   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01127  2020   NtClose  (184, ... ) == 0x0
 01128  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01129  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc03b
 01130  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc03d
 01131  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01132  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc03f
 01133  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01134  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc041
 01135  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01136  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc043
 01137  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc045
 01138  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01139  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc047
 01140  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01141  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc049
 01142  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01143  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc04b
 01144  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01145  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc04d
 01146  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01147  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc04f
 01148  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc051
 01149  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01150  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc053
 01151  2020   NtUserFindExistingCursorIcon  (1235692, 1235708, 1235756, ... ) == 0x10011
 01152  2020   NtUserRegisterClassExWOW  (1235636, 1235704, 1235720, 1235736, 0, 384, 0, ... ) == 0x819fc055
 01153  2020   NtUserFindExistingCursorIcon  (1235692, 1235708, 1235756, ... ) == 0x10011
 01154  2020   NtUserRegisterClassExWOW  (1235636, 1235704, 1235720, 1235736, 0, 384, 0, ... ) == 0x819fc057
 01155  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01156  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc059
 01157  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10013
 01158  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc05b
 01159  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01160  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc05d
 01161  2020   NtUserFindExistingCursorIcon  (1235696, 1235712, 1235760, ... ) == 0x10011
 01162  2020   NtUserRegisterClassExWOW  (1235640, 1235708, 1235724, 1235740, 0, 384, 0, ... ) == 0x819fc05f
 01163  2020   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01164  2020   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1399888, 0,  (0x1f0003, {24, 48, 0x80, 1399888, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 184, ) }, 0, 2147483647, ... 184, ) == STATUS_OBJECT_NAME_EXISTS
 01165  2020   NtReleaseSemaphore  (184, 1, ... 0, ) == 0x0
 01166  2020   NtWaitForSingleObject  (184, 0, {0, 0}, ... ) == 0x0
 01167  2020   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01168  2020   NtQueryValueKey  (176,  (176, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01169  2020   NtClose  (176, ... ) == 0x0
 01170  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1239516, ... ) }, 1239516, ... ) == 0x0
 01171  2020   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01172  2020   NtSetValueKey  (176,  (176, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (176, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 01173  2020   NtClose  (176, ... ) == 0x0
 01174  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1240208, ... ) }, 1240208, ... ) == 0x0
 01175  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1239416, ... ) }, 1239416, ... ) == 0x0
 01176  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01177  2020   NtSetInformationFile  (176, 1239388, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01178  2020   NtClose  (176, ... ) == 0x0
 01179  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 1239412, ... ) }, 1239412, ... ) == 0x0
 01180  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1240208, ... ) }, 1240208, ... ) == 0x0
 01181  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1239416, ... ) }, 1239416, ... ) == 0x0
 01182  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01183  2020   NtSetInformationFile  (176, 1239388, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01184  2020   NtClose  (176, ... ) == 0x0
 01185  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1239412, ... ) }, 1239412, ... ) == 0x0
 01186  2020   NtQueryValueKey  (172,  (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01187  2020   NtQueryValueKey  (172,  (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01188  2020   NtQueryValueKey  (172,  (172, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 01189  2020   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Cookies"}, ... 176, ) }, ... 176, ) == 0x0
 01190  2020   NtQueryValueKey  (176,  (176, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191  2020   NtOpenKey  (0xf, {24, 164, 0x40, 0, 0,  (0xf, {24, 164, 0x40, 0, 0, "Cookies"}, ... 188, ) }, ... 188, ) == 0x0
 01192  2020   NtQueryValueKey  (188,  (188, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01193  2020   NtClose  (188, ... ) == 0x0
 01194  2020   NtClose  (176, ... ) == 0x0
 01195  2020   NtClose  (172, ... ) == 0x0
 01196  2020   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Cookies"}, ... 172, ) }, ... 172, ) == 0x0
 01197  2020   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01198  2020   NtReleaseSemaphore  (184, 1, ... 0, ) == 0x0
 01199  2020   NtWaitForSingleObject  (184, 0, {0, 0}, ... ) == 0x0
 01200  2020   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01201  2020   NtQueryValueKey  (176,  (176, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01202  2020   NtClose  (176, ... ) == 0x0
 01203  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1239516, ... ) }, 1239516, ... ) == 0x0
 01204  2020   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01205  2020   NtSetValueKey  (176,  (176, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (176, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 01206  2020   NtClose  (176, ... ) == 0x0
 01207  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1240208, ... ) }, 1240208, ... ) == 0x0
 01208  2020   NtQueryValueKey  (172,  (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01209  2020   NtQueryValueKey  (172,  (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01210  2020   NtQueryValueKey  (172,  (172, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01211  2020   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "History"}, ... 176, ) }, ... 176, ) == 0x0
 01212  2020   NtQueryValueKey  (176,  (176, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213  2020   NtOpenKey  (0xf, {24, 164, 0x40, 0, 0,  (0xf, {24, 164, 0x40, 0, 0, "History"}, ... 188, ) }, ... 188, ) == 0x0
 01214  2020   NtQueryValueKey  (188,  (188, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01215  2020   NtClose  (188, ... ) == 0x0
 01216  2020   NtClose  (176, ... ) == 0x0
 01217  2020   NtClose  (172, ... ) == 0x0
 01218  2020   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "History"}, ... 172, ) }, ... 172, ) == 0x0
 01219  2020   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01220  2020   NtReleaseSemaphore  (184, 1, ... 0, ) == 0x0
 01221  2020   NtWaitForSingleObject  (184, 0, {0, 0}, ... ) == 0x0
 01222  2020   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01223  2020   NtQueryValueKey  (176,  (176, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01224  2020   NtClose  (176, ... ) == 0x0
 01225  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1239516, ... ) }, 1239516, ... ) == 0x0
 01226  2020   NtCreateKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01227  2020   NtSetValueKey  (176,  (176, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (176, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 01228  2020   NtClose  (176, ... ) == 0x0
 01229  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1240208, ... ) }, 1240208, ... ) == 0x0
 01230  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1239416, ... ) }, 1239416, ... ) == 0x0
 01231  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01232  2020   NtSetInformationFile  (176, 1239388, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01233  2020   NtClose  (176, ... ) == 0x0
 01234  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 1239412, ... ) }, 1239412, ... ) == 0x0
 01235  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1240208, ... ) }, 1240208, ... ) == 0x0
 01236  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1239416, ... ) }, 1239416, ... ) == 0x0
 01237  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01238  2020   NtSetInformationFile  (176, 1239388, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01239  2020   NtClose  (176, ... ) == 0x0
 01240  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1239412, ... ) }, 1239412, ... ) == 0x0
 01241  2020   NtQueryValueKey  (172,  (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01242  2020   NtQueryValueKey  (172,  (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01243  2020   NtQueryValueKey  (172,  (172, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01244  2020   NtClose  (172, ... ) == 0x0
 01245  2020   NtClose  (168, ... ) == 0x0
 01246  2020   NtClose  (164, ... ) == 0x0
 01247  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 164, ) }, ... 164, ) == 0x0
 01248  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 168, ) }, ... 168, ) == 0x0
 01249  2020   NtWaitForSingleObject  (168, 0, 0x0, ... ) == 0x0
 01250  2020   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 01251  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241516, ... ) }, 1241516, ... ) == 0x0
 01252  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 172, {status=0x0, info=1}, ) }, 7, 2113568, ... 172, {status=0x0, info=1}, ) == 0x0
 01253  2020   NtSetInformationFile  (172, 1241492, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01254  2020   NtClose  (172, ... ) == 0x0
 01255  2020   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241432,  (0xc0100080, {24, 0, 0x40, 0, 1241432, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01256  2020   NtSetInformationFile  (172, 1241484, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01257  2020   NtQueryInformationFile  (172, 1241484, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01258  2020   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 176, ) }, ... 176, ) == 0x0
 01259  2020   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1330000), {0, 0}, 802816, ) == 0x0
 01260  2020   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01261  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 188, ) }, ... 188, ) == 0x0
 01262  2020   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 01263  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 1241516, ... ) }, 1241516, ... ) == 0x0
 01264  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 01265  2020   NtSetInformationFile  (192, 1241492, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01266  2020   NtClose  (192, ... ) == 0x0
 01267  2020   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241432,  (0xc0100080, {24, 0, 0x40, 0, 1241432, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01268  2020   NtSetInformationFile  (192, 1241484, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01269  2020   NtQueryInformationFile  (192, 1241484, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01270  2020   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 196, ) }, ... 196, ) == 0x0
 01271  2020   NtMapViewOfSection  (196, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xfc0000), {0, 0}, 32768, ) == 0x0
 01272  2020   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 01273  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 200, ) }, ... 200, ) == 0x0
 01274  2020   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 01275  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1241516, ... ) }, 1241516, ... ) == 0x0
 01276  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 204, {status=0x0, info=1}, ) }, 7, 2113568, ... 204, {status=0x0, info=1}, ) == 0x0
 01277  2020   NtSetInformationFile  (204, 1241492, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01278  2020   NtClose  (204, ... ) == 0x0
 01279  2020   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241432,  (0xc0100080, {24, 0, 0x40, 0, 1241432, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01280  2020   NtSetInformationFile  (204, 1241484, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01281  2020   NtQueryInformationFile  (204, 1241484, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01282  2020   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 208, ) }, ... 208, ) == 0x0
 01283  2020   NtMapViewOfSection  (208, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xfd0000), {0, 0}, 81920, ) == 0x0
 01284  2020   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 01285  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241092, ... ) }, 1241092, ... ) == 0x0
 01286  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 212, {status=0x0, info=1}, ) }, 7, 2113568, ... 212, {status=0x0, info=1}, ) == 0x0
 01287  2020   NtSetInformationFile  (212, 1241064, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01288  2020   NtClose  (212, ... ) == 0x0
 01289  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241088, ... ) }, 1241088, ... ) == 0x0
 01290  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1241092, ... ) }, 1241092, ... ) == 0x0
 01291  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 212, {status=0x0, info=1}, ) }, 7, 2113568, ... 212, {status=0x0, info=1}, ) == 0x0
 01292  2020   NtSetInformationFile  (212, 1241064, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01293  2020   NtClose  (212, ... ) == 0x0
 01294  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1241088, ... ) }, 1241088, ... ) == 0x0
 01295  2020   NtWaitForSingleObject  (168, 0, 0x0, ... ) == 0x0
 01296  2020   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01297  2020   NtOpenKey  (0xf, {24, 52, 0x40, 0, 0,  (0xf, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 212, ) }, ... 212, ) == 0x0
 01298  2020   NtOpenKey  (0xf, {24, 212, 0x40, 0, 0,  (0xf, {24, 212, 0x40, 0, 0, "Extensible Cache"}, ... 216, ) }, ... 216, ) == 0x0
 01299  2020   NtClose  (212, ... ) == 0x0
 01300  2020   NtWaitForSingleObject  (164, 0, {-600000000, -1}, ... ) == 0x0
 01301  2020   NtEnumerateKey  (216, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (216, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 01302  2020   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "feedplat"}, ... 212, ) }, ... 212, ) == 0x0
 01303  2020   NtQueryValueKey  (212,  (212, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01304  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01305  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01306  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01307  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 01308  2020   NtQueryValueKey  (212,  (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 01309  2020   NtQueryValueKey  (212,  (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 01310  2020   NtQueryValueKey  (212,  (212, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01311  2020   NtQueryValueKey  (212,  (212, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01312  2020   NtClose  (212, ... ) == 0x0
 01313  2020   NtEnumerateKey  (216, 1, Basic, 288, ... {LastWrite={0x4121a6b6,0x1c8903b}, TitleIdx=0, Name= (216, 1, Basic, 288, ... {LastWrite={0x4121a6b6,0x1c8903b}, TitleIdx=0, Name="MSHist012008032720080328"}, 64, ) }, 64, ) == 0x0
 01314  2020   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "MSHist012008032720080328"}, ... 212, ) }, ... 212, ) == 0x0
 01315  2020   NtQueryValueKey  (212,  (212, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01316  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01317  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (212, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 01318  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01319  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (212, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 01320  2020   NtQueryValueKey  (212,  (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01321  2020   NtQueryValueKey  (212,  (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01322  2020   NtQueryValueKey  (212,  (212, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01323  2020   NtQueryValueKey  (212,  (212, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01324  2020   NtClose  (212, ... ) == 0x0
 01325  2020   NtEnumerateKey  (216, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (216, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 01326  2020   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "UserData"}, ... 212, ) }, ... 212, ) == 0x0
 01327  2020   NtQueryValueKey  (212,  (212, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01328  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01329  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 01330  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01331  2020   NtQueryValueKey  (212,  (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (212, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 01332  2020   NtQueryValueKey  (212,  (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 01333  2020   NtQueryValueKey  (212,  (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 01334  2020   NtQueryValueKey  (212,  (212, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 01335  2020   NtQueryValueKey  (212,  (212, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 01336  2020   NtClose  (212, ... ) == 0x0
 01337  2020   NtEnumerateKey  (216, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01338  2020   NtReleaseMutant  (164, ... 0x0, ) == 0x0
 01339  2020   NtClose  (216, ... ) == 0x0
 01340  2020   NtWaitForSingleObject  (168, 0, 0x0, ... ) == 0x0
 01341  2020   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01342  2020   NtWaitForSingleObject  (168, 0, 0x0, ... ) == 0x0
 01343  2020   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01344  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 216, ) }, ... 216, ) == 0x0
 01352  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353  2020   NtOpenKey  (0x1, {24, 216, 0x40, 0, 0,  (0x1, {24, 216, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354  2020   NtClose  (216, ... ) == 0x0
 01355  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 216, ) }, ... 216, ) == 0x0
 01358  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359  2020   NtOpenKey  (0x1, {24, 216, 0x40, 0, 0,  (0x1, {24, 216, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01360  2020   NtClose  (216, ... ) == 0x0
 01361  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 216, ) }, ... 216, ) == 0x0
 01364  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365  2020   NtOpenKey  (0x1, {24, 216, 0x40, 0, 0,  (0x1, {24, 216, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366  2020   NtClose  (216, ... ) == 0x0
 01367  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368  2020   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01370  2020   NtQueryValueKey  (216,  (216, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371  2020   NtClose  (216, ... ) == 0x0
 01372  2020   NtQueryValueKey  (136,  (136, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373  2020   NtQueryValueKey  (136,  (136, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374  2020   NtQueryValueKey  (136,  (136, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375  2020   NtQueryValueKey  (136,  (136, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376  2020   NtQueryValueKey  (136,  (136, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377  2020   NtQueryValueKey  (136,  (136, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378  2020   NtQueryValueKey  (136,  (136, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379  2020   NtQueryValueKey  (136,  (136, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380  2020   NtQueryValueKey  (136,  (136, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01382  2020   NtQueryValueKey  (216,  (216, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383  2020   NtClose  (216, ... ) == 0x0
 01384  2020   NtQueryValueKey  (136,  (136, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01386  2020   NtQueryValueKey  (216,  (216, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01387  2020   NtClose  (216, ... ) == 0x0
 01388  2020   NtQueryValueKey  (136,  (136, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01390  2020   NtQueryValueKey  (216,  (216, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391  2020   NtClose  (216, ... ) == 0x0
 01392  2020   NtQueryValueKey  (136,  (136, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01394  2020   NtQueryValueKey  (216,  (216, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395  2020   NtClose  (216, ... ) == 0x0
 01396  2020   NtQueryValueKey  (136,  (136, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397  2020   NtQueryValueKey  (136,  (136, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398  2020   NtQueryValueKey  (136,  (136, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 216, ) }, ... 216, ) == 0x0
 01400  2020   NtQueryValueKey  (216,  (216, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401  2020   NtClose  (216, ... ) == 0x0
 01402  2020   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 01403  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 216, ) }, ... 216, ) == 0x0
 01407  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 212, ) }, ... 212, ) == 0x0
 01408  2020   NtQueryValueKey  (212,  (212, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409  2020   NtQueryValueKey  (216,  (216, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410  2020   NtClose  (216, ... ) == 0x0
 01411  2020   NtClose  (212, ... ) == 0x0
 01412  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 212, ) }, ... 212, ) == 0x0
 01415  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416  2020   NtOpenKey  (0x1, {24, 212, 0x40, 0, 0,  (0x1, {24, 212, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417  2020   NtClose  (212, ... ) == 0x0
 01418  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 212, ) }, ... 212, ) == 0x0
 01421  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422  2020   NtOpenKey  (0x1, {24, 212, 0x40, 0, 0,  (0x1, {24, 212, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423  2020   NtClose  (212, ... ) == 0x0
 01424  2020   NtQueryValueKey  (136,  (136, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425  2020   NtQueryValueKey  (136,  (136, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 212, ) }, ... 212, ) == 0x0
 01429  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430  2020   NtOpenKey  (0x1, {24, 212, 0x40, 0, 0,  (0x1, {24, 212, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431  2020   NtClose  (212, ... ) == 0x0
 01432  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 212, ) }, ... 212, ) == 0x0
 01435  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436  2020   NtOpenKey  (0x1, {24, 212, 0x40, 0, 0,  (0x1, {24, 212, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 216, ) }, ... 216, ) == 0x0
 01437  2020   NtQueryValueKey  (216,  (216, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438  2020   NtQueryValueKey  (216,  (216, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439  2020   NtClose  (216, ... ) == 0x0
 01440  2020   NtClose  (212, ... ) == 0x0
 01441  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 212, ) }, ... 212, ) == 0x0
 01444  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  2020   NtOpenKey  (0x1, {24, 212, 0x40, 0, 0,  (0x1, {24, 212, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446  2020   NtClose  (212, ... ) == 0x0
 01447  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01448  2020   NtQueryValueKey  (212,  (212, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01449  2020   NtClose  (212, ... ) == 0x0
 01450  2020   NtQueryValueKey  (136,  (136, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451  2020   NtQueryValueKey  (136,  (136, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452  2020   NtQueryValueKey  (136,  (136, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01454  2020   NtQueryValueKey  (212,  (212, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01456  2020   NtQueryValueKey  (216,  (216, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457  2020   NtClose  (212, ... ) == 0x0
 01458  2020   NtClose  (216, ... ) == 0x0
 01459  2020   NtQueryValueKey  (136,  (136, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460  2020   NtQueryValueKey  (136,  (136, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461  2020   NtQueryValueKey  (136,  (136, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01463  2020   NtQueryValueKey  (216,  (216, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01465  2020   NtQueryValueKey  (212,  (212, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466  2020   NtClose  (216, ... ) == 0x0
 01467  2020   NtClose  (212, ... ) == 0x0
 01468  2020   NtQueryValueKey  (136,  (136, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01470  2020   NtQueryValueKey  (212,  (212, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01472  2020   NtQueryValueKey  (216,  (216, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  2020   NtClose  (212, ... ) == 0x0
 01474  2020   NtClose  (216, ... ) == 0x0
 01475  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01476  2020   NtQueryValueKey  (216,  (216, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01478  2020   NtQueryValueKey  (212,  (212, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479  2020   NtClose  (216, ... ) == 0x0
 01480  2020   NtClose  (212, ... ) == 0x0
 01481  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01482  2020   NtQueryValueKey  (212,  (212, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01484  2020   NtQueryValueKey  (216,  (216, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  2020   NtClose  (212, ... ) == 0x0
 01486  2020   NtClose  (216, ... ) == 0x0
 01487  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01488  2020   NtQueryValueKey  (216,  (216, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  2020   NtClose  (216, ... ) == 0x0
 01490  2020   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 216, ) }, ... 216, ) == 0x0
 01491  2020   NtQueryValueKey  (216,  (216, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01493  2020   NtQueryValueKey  (212,  (212, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  2020   NtClose  (216, ... ) == 0x0
 01495  2020   NtClose  (212, ... ) == 0x0
 01496  2020   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01497  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01498  2020   NtQueryValueKey  (212,  (212, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  2020   NtClose  (212, ... ) == 0x0
 01500  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 212, ) }, ... 212, ) == 0x0
 01501  2020   NtQueryValueKey  (212,  (212, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502  2020   NtClose  (212, ... ) == 0x0
 01503  2020   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01504  2020   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01505  2020   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01506  2020   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01507  2020   NtQueryValueKey  (136,  (136, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508  2020   NtQueryValueKey  (136,  (136, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509  2020   NtQueryValueKey  (136,  (136, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510  2020   NtQueryValueKey  (136,  (136, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511  2020   NtQueryValueKey  (136,  (136, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (136, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01512  2020   NtQueryValueKey  (136,  (136, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513  2020   NtQueryValueKey  (136,  (136, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01514  2020   NtQueryValueKey  (136,  (136, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515  2020   NtQueryValueKey  (136,  (136, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516  2020   NtQueryValueKey  (136,  (136, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517  2020   NtQueryValueKey  (136,  (136, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518  2020   NtQueryValueKey  (136,  (136, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 212, ) }, ... 212, ) == 0x0
 01520  2020   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 216, ) }, ... 216, ) == 0x0
 01521  2020   NtQueryValueKey  (216,  (216, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01522  2020   NtQueryValueKey  (216,  (216, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (216, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01523  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 220, ) == 0x0
 01524  2020   NtOpenKey  (0x2000000, {24, 216, 0x40, 0, 0,  (0x2000000, {24, 216, 0x40, 0, 0, "Protocol_Catalog9"}, ... 224, ) }, ... 224, ) == 0x0
 01525  2020   NtQueryValueKey  (224,  (224, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01526  2020   NtNotifyChangeKey  (224, 220, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01527  2020   NtQueryValueKey  (224,  (224, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01528  2020   NtOpenKey  (0x2000000, {24, 224, 0x40, 0, 0,  (0x2000000, {24, 224, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529  2020   NtQueryValueKey  (224,  (224, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01530  2020   NtQueryValueKey  (224,  (224, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01531  2020   NtOpenKey  (0x2000000, {24, 224, 0x40, 0, 0,  (0x2000000, {24, 224, 0x40, 0, 0, "Catalog_Entries"}, ... 228, ) }, ... 228, ) == 0x0
 01532  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000001"}, ... 232, ) }, ... 232, ) == 0x0
 01533  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01534  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01535  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\0\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\0\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\1\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\0\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\0\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\1\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\0\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\0\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\1\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\1\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\2\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\3\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01536  2020   NtClose  (232, ... ) == 0x0
 01537  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000002"}, ... 232, ) }, ... 232, ) == 0x0
 01538  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01539  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01540  2020   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 01541  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\6\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\6\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\7\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\6\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\6\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\7\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\6\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\6\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\7\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\10\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01542  2020   NtClose  (232, ... ) == 0x0
 01543  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000003"}, ... 232, ) }, ... 232, ) == 0x0
 01544  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01545  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01546  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\13\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\14\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\13\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\14\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\13\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\14\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\15\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01547  2020   NtClose  (232, ... ) == 0x0
 01548  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000004"}, ... 232, ) }, ... 232, ) == 0x0
 01549  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01550  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01551  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\20\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\20\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\21\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\20\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\20\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\21\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\20\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\20\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\21\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\22\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01552  2020   NtClose  (232, ... ) == 0x0
 01553  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000005"}, ... 232, ) }, ... 232, ) == 0x0
 01554  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01555  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01556  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\25\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\25\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\26\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\25\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\25\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\26\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\25\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\25\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\26\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\27\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01557  2020   NtClose  (232, ... ) == 0x0
 01558  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000006"}, ... 232, ) }, ... 232, ) == 0x0
 01559  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01560  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01561  2020   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 01562  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\33\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\34\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\33\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\34\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0\33\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\34\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\35\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01563  2020   NtClose  (232, ... ) == 0x0
 01564  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000007"}, ... 232, ) }, ... 232, ) == 0x0
 01565  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01566  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01567  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0 \6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0"\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01568  2020   NtClose  (232, ... ) == 0x0
 01569  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000008"}, ... 232, ) }, ... 232, ) == 0x0
 01570  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01571  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01572  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0%\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0%\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0%\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0%\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0%\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0%\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0'\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01573  2020   NtClose  (232, ... ) == 0x0
 01574  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000009"}, ... 232, ) }, ... 232, ) == 0x0
 01575  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01576  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01577  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0*\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0*\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0*\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0*\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0*\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0*\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0,\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01578  2020   NtClose  (232, ... ) == 0x0
 01579  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000010"}, ... 232, ) }, ... 232, ) == 0x0
 01580  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01581  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01582  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0/\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0/\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0/\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0/\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0/\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0/\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\01\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01583  2020   NtClose  (232, ... ) == 0x0
 01584  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000011"}, ... 232, ) }, ... 232, ) == 0x0
 01585  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01586  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01587  2020   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 01588  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\05\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\05\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\06\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\05\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\05\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\06\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\05\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\05\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\06\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\07\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01589  2020   NtClose  (232, ... ) == 0x0
 01590  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000012"}, ... 232, ) }, ... 232, ) == 0x0
 01591  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01592  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01593  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0:\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0:\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0;\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0:\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0:\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0;\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0:\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0:\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0;\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0<\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01594  2020   NtClose  (232, ... ) == 0x0
 01595  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000013"}, ... 232, ) }, ... 232, ) == 0x0
 01596  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01597  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01598  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0?\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0?\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0@\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0?\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0?\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0@\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0?\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0?\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0@\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0A\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01599  2020   NtClose  (232, ... ) == 0x0
 01600  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000014"}, ... 232, ) }, ... 232, ) == 0x0
 01601  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01602  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01603  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0D\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0D\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0E\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0D\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0D\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0E\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0D\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0D\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0E\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0F\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01604  2020   NtClose  (232, ... ) == 0x0
 01605  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000015"}, ... 232, ) }, ... 232, ) == 0x0
 01606  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01607  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01608  2020   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01609  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0J\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0J\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0K\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0J\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0J\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0K\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0J\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0J\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0K\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0L\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01610  2020   NtClose  (232, ... ) == 0x0
 01611  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000016"}, ... 232, ) }, ... 232, ) == 0x0
 01612  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01613  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01614  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0O\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0O\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0P\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0O\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0O\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0P\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0O\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0O\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0P\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0Q\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01615  2020   NtClose  (232, ... ) == 0x0
 01616  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000017"}, ... 232, ) }, ... 232, ) == 0x0
 01617  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01618  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01619  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0T\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0T\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0U\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0T\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0T\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0U\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0T\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0T\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0U\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0V\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01620  2020   NtClose  (232, ... ) == 0x0
 01621  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000018"}, ... 232, ) }, ... 232, ) == 0x0
 01622  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01623  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01624  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0Y\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0Y\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0Z\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0Y\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0Y\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0Z\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0Y\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0Y\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0Z\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0[\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01625  2020   NtClose  (232, ... ) == 0x0
 01626  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000019"}, ... 232, ) }, ... 232, ) == 0x0
 01627  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01628  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01629  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0^\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0^\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0_\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0^\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0^\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0_\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0^\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0^\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0_\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0`\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01630  2020   NtClose  (232, ... ) == 0x0
 01631  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000020"}, ... 232, ) }, ... 232, ) == 0x0
 01632  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01633  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01634  2020   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 01635  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0d\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0d\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0e\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0d\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0d\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0e\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0d\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0d\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0e\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0f\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01636  2020   NtClose  (232, ... ) == 0x0
 01637  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000021"}, ... 232, ) }, ... 232, ) == 0x0
 01638  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01639  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01640  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0i\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0i\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0j\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0i\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0i\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0j\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0 (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0i\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0i\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\0\0\0L\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\244\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0j\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0k\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\6\0\0d\3\0\0\344\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01641  2020   NtClose  (232, ... ) == 0x0
 01642  2020   NtOpenKey  (0x20019, {24, 228, 0x40, 0, 0,  (0x20019, {24, 228, 0x40, 0, 0, "000000000022"}, ... 232, ) }, ... 232, ) == 0x0
 01643  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01644  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01645  2020   NtQueryValueKey  (232,  (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0n\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0n\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\344\0\0\0o\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\6\0\0d\3\0\0\344\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\6\0\0d\3\0\0\344\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0q\6\0\0d\3\0\0\344\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0q\6\0\0d\3\0\0\344\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\344\0\0\0r\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\330\0\0\0t\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\320\210\25\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (232, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0n\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0n\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\344\0\0\0o\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\6\0\0d\3\0\0\344\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\6\0\0d\3\0\0\344\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0q\6\0\0d\3\0\0\344\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0q\6\0\0d\3\0\0\344\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\344\0\0\0r\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\330\0\0\0t\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\320\210\25\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0n\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\0\0\0n\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\344\0\0\0o\6\0\0d\3\0\0\344\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\6\0\0d\3\0\0\344\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\6\0\0d\3\0\0\344\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0q\6\0\0d\3\0\0\344\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0q\6\0\0d\3\0\0\344\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\344\0\0\0r\6\0\0d\3\0\0\344\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\330\0\0\0t\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\320\210\25\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01646  2020   NtClose  (232, ... ) == 0x0
 01647  2020   NtClose  (228, ... ) == 0x0
 01648  2020   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x102
 01649  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01650  2020   NtOpenKey  (0x2000000, {24, 216, 0x40, 0, 0,  (0x2000000, {24, 216, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 232, ) }, ... 232, ) == 0x0
 01651  2020   NtQueryValueKey  (232,  (232, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01652  2020   NtNotifyChangeKey  (232, 228, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01653  2020   NtQueryValueKey  (232,  (232, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01654  2020   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655  2020   NtQueryValueKey  (232,  (232, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (232, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01656  2020   NtOpenKey  (0x2000000, {24, 232, 0x40, 0, 0,  (0x2000000, {24, 232, 0x40, 0, 0, "Catalog_Entries"}, ... 236, ) }, ... 236, ) == 0x0
 01657  2020   NtOpenKey  (0x20019, {24, 236, 0x40, 0, 0,  (0x20019, {24, 236, 0x40, 0, 0, "000000000001"}, ... 240, ) }, ... 240, ) == 0x0
 01658  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01659  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01660  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01661  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01662  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01663  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01664  2020   NtQueryValueKey  (240,  (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01665  2020   NtQueryValueKey  (240,  (240, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01666  2020   NtQueryValueKey  (240,  (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01667  2020   NtQueryValueKey  (240,  (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01668  2020   NtQueryValueKey  (240,  (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01669  2020   NtQueryValueKey  (240,  (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01670  2020   NtClose  (240, ... ) == 0x0
 01671  2020   NtOpenKey  (0x20019, {24, 236, 0x40, 0, 0,  (0x20019, {24, 236, 0x40, 0, 0, "000000000002"}, ... 240, ) }, ... 240, ) == 0x0
 01672  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01673  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01674  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01675  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01676  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01677  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01678  2020   NtQueryValueKey  (240,  (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01679  2020   NtQueryValueKey  (240,  (240, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680  2020   NtQueryValueKey  (240,  (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01681  2020   NtQueryValueKey  (240,  (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01682  2020   NtQueryValueKey  (240,  (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01683  2020   NtQueryValueKey  (240,  (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01684  2020   NtClose  (240, ... ) == 0x0
 01685  2020   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 01686  2020   NtOpenKey  (0x20019, {24, 236, 0x40, 0, 0,  (0x20019, {24, 236, 0x40, 0, 0, "000000000003"}, ... 240, ) }, ... 240, ) == 0x0
 01687  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01688  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01689  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01690  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01691  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01692  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01693  2020   NtQueryValueKey  (240,  (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01694  2020   NtQueryValueKey  (240,  (240, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01695  2020   NtQueryValueKey  (240,  (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01696  2020   NtQueryValueKey  (240,  (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01697  2020   NtQueryValueKey  (240,  (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01698  2020   NtQueryValueKey  (240,  (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01699  2020   NtClose  (240, ... ) == 0x0
 01700  2020   NtOpenKey  (0x20019, {24, 236, 0x40, 0, 0,  (0x20019, {24, 236, 0x40, 0, 0, "000000000004"}, ... 240, ) }, ... 240, ) == 0x0
 01701  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01702  2020   NtQueryValueKey  (240,  (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01703  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01704  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01705  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01706  2020   NtQueryValueKey  (240,  (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01707  2020   NtQueryValueKey  (240,  (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (240, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01708  2020   NtQueryValueKey  (240,  (240, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709  2020   NtQueryValueKey  (240,  (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01710  2020   NtQueryValueKey  (240,  (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01711  2020   NtQueryValueKey  (240,  (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01712  2020   NtQueryValueKey  (240,  (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01713  2020   NtClose  (240, ... ) == 0x0
 01714  2020   NtClose  (236, ... ) == 0x0
 01715  2020   NtWaitForSingleObject  (228, 0, {0, 0}, ... ) == 0x102
 01716  2020   NtClose  (216, ... ) == 0x0
 01717  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01718  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01719  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 216, ) }, ... 216, ) == 0x0
 01720  2020   NtQueryValueKey  (216,  (216, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01721  2020   NtClose  (216, ... ) == 0x0
 01722  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 216, ) == 0x0
 01723  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 236, ) == 0x0
 01724  2020   NtQueryValueKey  (136,  (136, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01725  2020   NtWaitForSingleObject  (168, 0, 0x0, ... ) == 0x0
 01726  2020   NtReleaseMutant  (168, ... 0x0, ) == 0x0
 01727  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 240, ) }, ... 240, ) == 0x0
 01728  2020   NtOpenMutant  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 244, ) }, ... 244, ) == 0x0
 01729  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 248, ) == 0x0
 01730  2020   NtQueryValueKey  (136,  (136, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01731  2020   NtQueryValueKey  (136,  (136, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01732  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 252, ) == 0x0
 01733  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 256, ) }, ... 256, ) == 0x0
 01734  2020   NtQueryValueKey  (256,  (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01735  2020   NtQueryValueKey  (256,  (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (256, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01736  2020   NtClose  (256, ... ) == 0x0
 01737  2020   NtQueryValueKey  (136,  (136, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01738  2020   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 01739  2020   NtQueryValueKey  (136,  (136, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01740  2020   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 256, ) == 0x0
 01741  2020   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 01742  2020   NtClearEvent  (256, ... ) == 0x0
 01743  2020   NtSetEvent  (256, ... 0x0, ) == 0x0
 01744  2020   NtClearEvent  (236, ... ) == 0x0
 01745  2020   NtSetEvent  (236, ... 0x0, ) == 0x0
 01746  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\icmp.dll"}, 1240404, ... ) }, 1240404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icmp.dll"}, 1240404, ... ) }, 1240404, ... ) == 0x0
 01749  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icmp.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01750  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 260, ... 264, ) == 0x0
 01751  2020   NtQuerySection  (264, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01752  2020   NtClose  (260, ... ) == 0x0
 01753  2020   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74290000), 0x0, 16384, ) == 0x0
 01754  2020   NtClose  (264, ... ) == 0x0
 01755  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01756  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1240876, ... ) }, 1240876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01757  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1240876, ... ) }, 1240876, ... ) == 0x0
 01758  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01759  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 260, ) == 0x0
 01760  2020   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01761  2020   NtClose  (264, ... ) == 0x0
 01762  2020   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 01763  2020   NtClose  (260, ... ) == 0x0
 01764  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01765  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01766  2020   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01767  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01768  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01769  2020   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01770  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01771  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01772  2020   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01773  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01774  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01775  2020   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01776  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01777  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01778  2020   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01779  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01780  2020   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01781  2020   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01782  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01783  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01784  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16711680, 65536, ) == 0x0
 01785  2020   NtAllocateVirtualMemory  (-1, 16711680, 0, 4096, 4096, 4, ... 16711680, 4096, ) == 0x0
 01786  2020   NtAllocateVirtualMemory  (-1, 16715776, 0, 8192, 4096, 4, ... 16715776, 8192, ) == 0x0
 01787  2020   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 260, {status=0x0, info=0}, ) == 0x0
 01788  2020   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 01789  2020   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 268, {status=0x0, info=0}, ) == 0x0
 01790  2020   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 01791  2020   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1241600,  (0x20100080, {24, 0, 0x40, 0, 1241600, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 276, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 276, {status=0x0, info=0}, ) == 0x0
 01792  2020   NtAllocateVirtualMemory  (-1, 16723968, 0, 36864, 4096, 4, ... 16723968, 36864, ) == 0x0
 01793  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01794  2020   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01795  2020   NtClose  (280, ... ) == 0x0
 01796  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01797  2020   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01798  2020   NtClose  (280, ... ) == 0x0
 01799  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01800  2020   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363o\201\1\0\0\0\5\0\0\0\232A\250\25\5NF\3\242\303\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\247X+\0hJ\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (260, 280, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363o\201\1\0\0\0\5\0\0\0\232A\250\25\5NF\3\242\303\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\247X+\0hJ\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01801  2020   NtClose  (280, ... ) == 0x0
 01802  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01803  2020   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (260, 280, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01804  2020   NtClose  (280, ... ) == 0x0
 01805  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01806  2020   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01807  2020   NtClose  (280, ... ) == 0x0
 01808  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 280, ) == 0x0
 01809  2020   NtDeviceIoControlFile  (260, 280, 0x0, 0x0, 0x120003,  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (260, 280, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01810  2020   NtClose  (280, ... ) == 0x0
 01811  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 280, ) == 0x0
 01812  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 284, ) == 0x0
 01813  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01814  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01815  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01816  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01817  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01818  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01819  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01820  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01821  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01822  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01823  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01824  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01825  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01826  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01827  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01828  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01829  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01830  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01831  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01832  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01833  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01834  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01835  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01836  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01837  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01838  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01839  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01840  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01841  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01842  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01843  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01844  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01845  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01846  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01847  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01848  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01849  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01850  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01851  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01852  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01853  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01854  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01855  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01856  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01857  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01858  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01859  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01860  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01861  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01862  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01863  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01864  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01865  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01866  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01867  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01868  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01869  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01870  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01871  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01872  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01873  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01874  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01875  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01876  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01877  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01878  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01879  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01880  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01881  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01882  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01883  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01884  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01885  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01886  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01887  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01888  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01889  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01890  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01891  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01892  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01893  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01894  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01895  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01896  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01897  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01898  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01899  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01900  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01901  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01902  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01903  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01904  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01905  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01906  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01907  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01908  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01909  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01910  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01911  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01912  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01913  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01914  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01915  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01916  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01917  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01918  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01919  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01920  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01921  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01922  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01923  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01924  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01925  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01926  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01927  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01928  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01929  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01930  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01931  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01932  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01933  2020   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 16777216, 65536, ) == 0x0
 01934  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01935  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 1, 4096, 4, ... 16777216, 4096, ) == 0x0
 01936  2020   NtQueryVirtualMemory  (-1, 0x1000000, Basic, 28, ... {BaseAddress=0x1000000,AllocationBase=0x1000000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01937  2020   NtFreeVirtualMemory  (-1, (0x1000000), 0, 32768, ... (0x1000000), 65536, ) == 0x0
 01938  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 288, ) }, ... 288, ) == 0x0
 01939  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 292, ) }, ... 292, ) == 0x0
 01940  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 296, ) }, ... 296, ) == 0x0
 01941  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 300, ) }, ... 300, ) == 0x0
 01942  2020   NtQueryDefaultLocale  (1, 1241580, ... ) == 0x0
 01943  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01944  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... 304, ) }, ... 304, ) == 0x0
 01945  2020   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 01946  2020   NtClose  (304, ... ) == 0x0
 01947  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01948  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01949  2020   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01950  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01951  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01952  2020   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01953  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01954  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01955  2020   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01956  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01957  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01958  2020   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01959  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 01960  2020   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 01961  2020   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 01962  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "dnsapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01964  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\dnsapi.dll"}, 1240404, ... ) }, 1240404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01965  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dnsapi.dll"}, 1240404, ... ) }, 1240404, ... ) == 0x0
 01966  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dnsapi.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 01967  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 308, ) == 0x0
 01968  2020   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01969  2020   NtClose  (304, ... ) == 0x0
 01970  2020   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01971  2020   NtClose  (308, ... ) == 0x0
 01972  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01973  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01974  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01975  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01976  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01977  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01978  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01979  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01980  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01981  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01982  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01983  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01984  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01985  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01986  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01987  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01988  2020   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01989  2020   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01990  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dnsapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01991  2020   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 308, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 308, 2, ) , 0, ... 308, 2, ) == 0x0
 01992  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 01993  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994  2020   NtQueryValueKey  (304,  (304, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995  2020   NtQueryValueKey  (308,  (308, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996  2020   NtQueryValueKey  (304,  (304, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01997  2020   NtQueryValueKey  (308,  (308, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01998  2020   NtQueryValueKey  (304,  (304, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999  2020   NtQueryValueKey  (308,  (308, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02000  2020   NtQueryValueKey  (304,  (304, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02001  2020   NtQueryValueKey  (308,  (308, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02002  2020   NtQueryValueKey  (304,  (304, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02003  2020   NtQueryValueKey  (304,  (304, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004  2020   NtQueryValueKey  (304,  (304, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005  2020   NtQueryValueKey  (304,  (304, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006  2020   NtQueryValueKey  (304,  (304, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007  2020   NtQueryValueKey  (304,  (304, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008  2020   NtQueryValueKey  (304,  (304, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009  2020   NtQueryValueKey  (304,  (304, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010  2020   NtQueryValueKey  (304,  (304, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02011  2020   NtQueryValueKey  (308,  (308, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02012  2020   NtQueryValueKey  (304,  (304, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02013  2020   NtQueryValueKey  (304,  (304, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014  2020   NtQueryValueKey  (308,  (308, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015  2020   NtQueryValueKey  (304,  (304, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016  2020   NtQueryValueKey  (308,  (308, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02017  2020   NtQueryValueKey  (304,  (304, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02018  2020   NtQueryValueKey  (308,  (308, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02019  2020   NtQueryValueKey  (304,  (304, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02020  2020   NtQueryValueKey  (308,  (308, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02021  2020   NtQueryValueKey  (304,  (304, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022  2020   NtQueryValueKey  (308,  (308, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02023  2020   NtQueryValueKey  (304,  (304, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024  2020   NtQueryValueKey  (308,  (308, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02025  2020   NtQueryValueKey  (304,  (304, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02026  2020   NtQueryValueKey  (308,  (308, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02027  2020   NtQueryValueKey  (304,  (304, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02028  2020   NtQueryValueKey  (304,  (304, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029  2020   NtQueryValueKey  (304,  (304, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030  2020   NtQueryValueKey  (304,  (304, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031  2020   NtQueryValueKey  (304,  (304, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02032  2020   NtQueryValueKey  (304,  (304, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02033  2020   NtQueryValueKey  (304,  (304, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034  2020   NtQueryValueKey  (304,  (304, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02035  2020   NtQueryValueKey  (304,  (304, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02036  2020   NtQueryValueKey  (304,  (304, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037  2020   NtQueryValueKey  (304,  (304, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 02039  2020   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02040  2020   NtClose  (312, ... ) == 0x0
 02041  2020   NtClose  (308, ... ) == 0x0
 02042  2020   NtClose  (304, ... ) == 0x0
 02043  2020   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 02044  2020   NtQueryValueKey  (304,  (304, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02045  2020   NtQueryValueKey  (304,  (304, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02046  2020   NtQueryValueKey  (304,  (304, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047  2020   NtClose  (304, ... ) == 0x0
 02048  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 304, ) }, ... 304, ) == 0x0
 02049  2020   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 02050  2020   NtClose  (304, ... ) == 0x0
 02051  2020   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 02052  2020   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 02053  2020   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 02054  2020   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 02055  2020   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 02056  2020   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 02057  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02058  2020   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 304, ) == 0x0
 02059  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0
 02060  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 312, ) }, ... 312, ) == 0x0
 02061  2020   NtNotifyChangeKey  (312, 308, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 02062  2020   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 02063  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 316, ) == 0x0
 02064  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 320, ) == 0x0
 02065  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\odbc32.dll"}, 1240404, ... ) }, 1240404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbc32.dll"}, 1240404, ... ) }, 1240404, ... ) == 0x0
 02068  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbc32.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02069  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 328, ) == 0x0
 02070  2020   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02071  2020   NtClose  (324, ... ) == 0x0
 02072  2020   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74320000), 0x0, 249856, ) == 0x0
 02073  2020   NtClose  (328, ... ) == 0x0
 02074  2020   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02075  2020   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02076  2020   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02077  2020   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02078  2020   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02079  2020   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02080  2020   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02081  2020   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02082  2020   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02083  2020   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02084  2020   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02085  2020   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02086  2020   NtProtectVirtualMemory  (-1, (0x74321000), 840, 4, ... (0x74321000), 4096, 32, ) == 0x0
 02087  2020   NtProtectVirtualMemory  (-1, (0x74321000), 4096, 32, ... (0x74321000), 4096, 4, ) == 0x0
 02088  2020   NtFlushInstructionCache  (-1, 1949437952, 840, ... ) == 0x0
 02089  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 328, ) }, ... 328, ) == 0x0
 02090  2020   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 299008, ) == 0x0
 02091  2020   NtClose  (328, ... ) == 0x0
 02092  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02093  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02094  2020   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02095  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02096  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02097  2020   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02098  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02099  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02100  2020   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02101  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02102  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02103  2020   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02104  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02105  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02106  2020   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02107  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 1552, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 02108  2020   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 02109  2020   NtFlushInstructionCache  (-1, 1983582208, 1552, ... ) == 0x0
 02110  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comdlg32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111  2020   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06c
 02112  2020   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06d
 02113  2020   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06e
 02114  2020   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06f
 02115  2020   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc070
 02116  2020   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc071
 02117  2020   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc072
 02118  2020   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc073
 02119  2020   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06f
 02120  2020   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc070
 02121  2020   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc071
 02122  2020   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc072
 02123  2020   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc073
 02124  2020   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc074
 02125  2020   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc075
 02126  2020   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc075
 02127  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odbc32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\BidInterface\Loader"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02130  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02131  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02132  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02133  2020   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 16777216, 262144, ) == 0x0
 02134  2020   NtAllocateVirtualMemory  (-1, 16777216, 0, 4096, 4096, 4, ... 16777216, 4096, ) == 0x0
 02135  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02136  2020   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 20971520, 262144, ) == 0x0
 02137  2020   NtAllocateVirtualMemory  (-1, 20971520, 0, 4096, 4096, 4, ... 20971520, 4096, ) == 0x0
 02138  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02139  2020   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 21233664, 262144, ) == 0x0
 02140  2020   NtAllocateVirtualMemory  (-1, 21233664, 0, 4096, 4096, 4, ... 21233664, 4096, ) == 0x0
 02141  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02142  2020   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 21495808, 262144, ) == 0x0
 02143  2020   NtAllocateVirtualMemory  (-1, 21495808, 0, 4096, 4096, 4, ... 21495808, 4096, ) == 0x0
 02144  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02145  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02146  2020   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02147  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02148  2020   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 02149  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 1236776, ... ) }, 1236776, ... ) == 0x0
 02150  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02151  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 328, ... 324, ) == 0x0
 02152  2020   NtClose  (328, ... ) == 0x0
 02153  2020   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1040000), 0x0, 94208, ) == 0x0
 02154  2020   NtClose  (324, ... ) == 0x0
 02155  2020   NtUnmapViewOfSection  (-1, 0x1040000, ... ) == 0x0
 02156  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 1237084, ... ) }, 1237084, ... ) == 0x0
 02157  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\odbcint.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02158  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 328, ) == 0x0
 02159  2020   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02160  2020   NtClose  (324, ... ) == 0x0
 02161  2020   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x20000000), 0x0, 94208, ) == 0x0
 02162  2020   NtClose  (328, ... ) == 0x0
 02163  2020   NtQueryDefaultLocale  (1, 1238916, ... ) == 0x0
 02164  2020   NtAllocateVirtualMemory  (-1, 16781312, 0, 4096, 4096, 4, ... 16781312, 4096, ) == 0x0
 02165  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 328, ) }, ... 328, ) == 0x0
 02166  2020   NtClose  (328, ... ) == 0x0
 02167  2020   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169  2020   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170  2020   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odbcint.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\avicap32.dll"}, 1240404, ... ) }, 1240404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02174  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\avicap32.dll"}, 1240404, ... ) }, 1240404, ... ) == 0x0
 02175  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\avicap32.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02176  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 324, ) == 0x0
 02177  2020   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02178  2020   NtClose  (328, ... ) == 0x0
 02179  2020   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73b80000), 0x0, 73728, ) == 0x0
 02180  2020   NtClose  (324, ... ) == 0x0
 02181  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02182  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02183  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02184  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02185  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02186  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02187  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02188  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02189  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02190  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02191  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02192  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02193  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1239588, ... ) }, 1239588, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 1239588, ... ) }, 1239588, ... ) == 0x0
 02196  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 5, 96, ... 324, {status=0x0, info=1}, ) }, 5, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 02197  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ... 328, ) == 0x0
 02198  2020   NtQuerySection  (328, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02199  2020   NtClose  (324, ... ) == 0x0
 02200  2020   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 02201  2020   NtClose  (328, ... ) == 0x0
 02202  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02203  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02204  2020   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02205  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02206  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02207  2020   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02208  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02209  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02210  2020   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02211  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 02212  2020   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 02213  2020   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 02214  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02215  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02216  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02217  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02218  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02219  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02220  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 328, ) }, ... 328, ) == 0x0
 02221  2020   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 02222  2020   NtClose  (328, ... ) == 0x0
 02223  2020   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 02224  2020   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 02225  2020   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 02226  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02227  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02228  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02229  2020   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVFW32.dll"}, 1239588, ... ) }, 1239588, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVFW32.dll"}, 1239588, ... ) }, 1239588, ... ) == 0x0
 02232  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVFW32.dll"}, 5, 96, ... 328, {status=0x0, info=1}, ) }, 5, 96, ... 328, {status=0x0, info=1}, ) == 0x0
 02233  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 328, ... 324, ) == 0x0
 02234  2020   NtQuerySection  (324, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02235  2020   NtClose  (328, ... ) == 0x0
 02236  2020   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 135168, ) == 0x0
 02237  2020   NtClose  (324, ... ) == 0x0
 02238  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02239  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02240  2020   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02241  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02242  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02243  2020   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02244  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02245  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02246  2020   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02247  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02248  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02249  2020   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02250  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 1008, 4, ... (0x75a71000), 4096, 32, ) == 0x0
 02251  2020   NtProtectVirtualMemory  (-1, (0x75a71000), 4096, 32, ... (0x75a71000), 4096, 4, ) == 0x0
 02252  2020   NtFlushInstructionCache  (-1, 1973882880, 1008, ... ) == 0x0
 02253  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 732, 4, ... (0x73b81000), 4096, 32, ) == 0x0
 02254  2020   NtProtectVirtualMemory  (-1, (0x73b81000), 4096, 32, ... (0x73b81000), 4096, 4, ) == 0x0
 02255  2020   NtFlushInstructionCache  (-1, 1941442560, 732, ... ) == 0x0
 02256  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02257  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 324, ) == 0x0
 02258  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 328, ) == 0x0
 02259  2020   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 332, ) == 0x0
 02260  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 336, ) }, ... 336, ) == 0x0
 02261  2020   NtQueryValueKey  (336,  (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02262  2020   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 21757952, 524288, ) == 0x0
 02263  2020   NtAllocateVirtualMemory  (-1, 21757952, 0, 4096, 4096, 4, ... 21757952, 4096, ) == 0x0
 02264  2020   NtQueryValueKey  (336,  (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02265  2020   NtQueryValueKey  (336,  (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02266  2020   NtQueryValueKey  (336,  (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02267  2020   NtQueryValueKey  (336,  (336, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268  2020   NtQueryValueKey  (336,  (336, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269  2020   NtQueryValueKey  (336,  (336, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02270  2020   NtQueryValueKey  (336,  (336, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02271  2020   NtQueryValueKey  (336,  (336, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272  2020   NtQueryValueKey  (336,  (336, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02273  2020   NtQueryValueKey  (336,  (336, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274  2020   NtQueryValueKey  (336,  (336, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02275  2020   NtQueryValueKey  (336,  (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02276  2020   NtQueryValueKey  (336,  (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02277  2020   NtQueryValueKey  (336,  (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02278  2020   NtQueryValueKey  (336,  (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02279  2020   NtQueryValueKey  (336,  (336, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280  2020   NtQueryValueKey  (336,  (336, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02281  2020   NtQueryValueKey  (336,  (336, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02282  2020   NtQueryValueKey  (336,  (336, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283  2020   NtQueryValueKey  (336,  (336, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02284  2020   NtQueryValueKey  (336,  (336, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285  2020   NtQueryValueKey  (336,  (336, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02286  2020   NtQueryValueKey  (336,  (336, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287  2020   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 02288  2020   NtQueryValueKey  (336,  (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02289  2020   NtQueryValueKey  (336,  (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02290  2020   NtQueryValueKey  (336,  (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02291  2020   NtQueryValueKey  (336,  (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02292  2020   NtQueryValueKey  (336,  (336, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293  2020   NtQueryValueKey  (336,  (336, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294  2020   NtQueryValueKey  (336,  (336, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02295  2020   NtQueryValueKey  (336,  (336, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296  2020   NtQueryValueKey  (336,  (336, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02297  2020   NtQueryValueKey  (336,  (336, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298  2020   NtQueryValueKey  (336,  (336, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02299  2020   NtQueryValueKey  (336,  (336, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02300  2020   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 02301  2020   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 340, ) }, ... 340, ) == 0x0
 02302  2020   NtQueryValueKey  (340,  (340, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02303  2020   NtClose  (340, ... ) == 0x0
 02304  2020   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 0, 0,  (0x1f0003, {24, 48, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 02305  2020   NtQueryValueKey  (336,  (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02306  2020   NtQueryValueKey  (336,  (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02307  2020   NtQueryValueKey  (336,  (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02308  2020   NtQueryValueKey  (336,  (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (336, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 02309  2020   NtQueryValueKey  (336,  (336, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310  2020   NtQueryValueKey  (336,  (336, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02311  2020   NtQueryValueKey  (336,  (336, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312  2020   NtQueryValueKey  (336,  (336, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313  2020   NtQueryValueKey  (336,  (336, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314  2020   NtQueryValueKey  (336,  (336, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02315  2020   NtQueryValueKey  (336,  (336, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316  2020   NtQueryValueKey  (336,  (336, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVFW32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02319  2020   NtQueryDefaultLocale  (1, 1240436, ... ) == 0x0
 02320  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avicap32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321  2020   NtQueryDefaultLocale  (1, 1240440, ... ) == 0x0
 02322  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02323  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02324  2020   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "scavertss"}, 0, ... 340, ) }, 0, ... 340, ) == 0x0
 02325  2020   NtWaitForSingleObject  (340, 0, {-300000000, -1}, ... ) == 0x0
 02326  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 1242412, ... ) }, 1242412, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02327  2020   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241300,  (0x80100080, {24, 0, 0x40, 0, 1241300, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 02328  2020   NtQueryInformationFile  (344, 1241736, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02329  2020   NtQueryInformationFile  (344, 1241652, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02330  2020   NtQueryInformationFile  (344, 1241468, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02331  2020   NtAllocateVirtualMemory  (-1, 1454080, 0, 8192, 4096, 4, ... 1454080, 8192, ) == 0x0
 02332  2020   NtQueryInformationFile  (344, 1450440, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02333  2020   NtQueryInformationFile  (344, 1239916, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02334  2020   NtQueryInformationFile  (344, 1240192, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02335  2020   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240068,  (0x40110080, {24, 0, 0x40, 0, 1240068, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02336  2020   NtClose  (-2147482576, ... ) == 0x0
 02335  2020   NtCreateFile  ... 348, {status=0x0, info=2}, ) == 0x0
 02337  2020   NtQueryVolumeInformationFile  (348, 1240220, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02338  2020   NtQueryInformationFile  (348, 1239804, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02339  2020   NtQueryVolumeInformationFile  (344, 1240220, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02340  2020   NtQueryVolumeInformationFile  (344, 1239564, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02341  2020   NtSetInformationFile  (348, 1240120, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02342  2020   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 344, ... 352, ) == 0x0
 02343  2020   NtMapViewOfSection  (352, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1540000), {0, 0}, 229376, ) == 0x0
 02344  2020   NtClose  (352, ... ) == 0x0
 02345  2020   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\7\0\357v\24:\0\0\0\0\0\0\0\0\340\0\17\1\13\1\1)\0 \14\0\0d\13\0\0\0\0\0\362\22\0\0\0\20\0\0\0\200\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\1\0\10\0\4\0\0\0\0\0\0\0\0\260G\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\20\0\0\0\20\0\0\3254\16rO\36\10\4\0\0\0\0\0\0\0\0\11iG\0\254E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\235\256G\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02346  2020   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "\245\362\364\230I$G\244{\205\215\247=Dt{raem\337\22\310\254\347d\302[\373\37\212 \365\230Y1\14\22\234\336\300E\32\377\177\254\13\243F`\231 \370+#\231B\356JfM^\14\37\253\30\2%"\27T\15I\372F\256S\353\252\340\276\306\3225\12\200"\12jZ\V\242_\24\242\347\2\22\200\\266\5\243\240\360[\206KtT\37pK\322\220\10D\270\27^\6;\274e\34\256\22\201\315\32\16\252cq\r\205\324\230\301<\201\341\241\332Z\345\312Q\203\353]\227~\323C\353\30\223}\582\\334^.\255Y\311\377dNl\217\2149P\24t7\271\247\313\224\11\316\374M9\232!\234\2331\2101\343A\202=\177\21\271a\21\241)\245I\257\21\255\365\30O\223Nw9\16#\302'\250NX\261\305\221z\254K\207iB\242\210\257C\206\27p\2015\33\350\303\342[\244\222;\235\272\233\31\5&\24\270^\26\5o\343a\224\3610\331\35I\26\3135\364\311+\221\344\264\26%4\332\352uBK\27\216\334;\201\321(b\336\241\332~\330!\320Q\10\350\27\16\230r\5\252\247\2760\225\177,\11\2\312[\24QF\356s\232\352R\333\227(\332U\227*\30&\273\27\21\210\316\217\14\0\32\303\234\230/\261\207\335\1\236\262"\265\207\205\324\362\304\210V$w\325?>58\225\21\200q\15\243\257\310\3342Vz\223\330du\341\221x\33661\2105^J+I\306w\322T\227(\35\302\224\341\311~\3566\331\315\241Ch\0\276\312JLH\371\202(\334?\3\256o\217\262\264l\265\342\301\362",\370\250\313\242\273\274, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \27T\15I\372F\256S\353\252\340\276\306\3225\12\200 (348, 0, 0, 0, "\245\362\364\230I$G\244{\205\215\247=Dt{raem\337\22\310\254\347d\302[\373\37\212 \365\230Y1\14\22\234\336\300E\32\377\177\254\13\243F`\231 \370+#\231B\356JfM^\14\37\253\30\2%"\27T\15I\372F\256S\353\252\340\276\306\3225\12\200"\12jZ\V\242_\24\242\347\2\22\200\\266\5\243\240\360[\206KtT\37pK\322\220\10D\270\27^\6;\274e\34\256\22\201\315\32\16\252cq\r\205\324\230\301<\201\341\241\332Z\345\312Q\203\353]\227~\323C\353\30\223}\582\\334^.\255Y\311\377dNl\217\2149P\24t7\271\247\313\224\11\316\374M9\232!\234\2331\2101\343A\202=\177\21\271a\21\241)\245I\257\21\255\365\30O\223Nw9\16#\302'\250NX\261\305\221z\254K\207iB\242\210\257C\206\27p\2015\33\350\303\342[\244\222;\235\272\233\31\5&\24\270^\26\5o\343a\224\3610\331\35I\26\3135\364\311+\221\344\264\26%4\332\352uBK\27\216\334;\201\321(b\336\241\332~\330!\320Q\10\350\27\16\230r\5\252\247\2760\225\177,\11\2\312[\24QF\356s\232\352R\333\227(\332U\227*\30&\273\27\21\210\316\217\14\0\32\303\234\230/\261\207\335\1\236\262"\265\207\205\324\362\304\210V$w\325?>58\225\21\200q\15\243\257\310\3342Vz\223\330du\341\221x\33661\2105^J+I\306w\322T\227(\35\302\224\341\311~\3566\331\315\241Ch\0\276\312JLH\371\202(\334?\3\256o\217\262\264l\265\342\301\362",\370\250\313\242\273\274, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \265\207\205\324\362\304\210V$w\325?>58\225\21\200q\15\243\257\310\3342Vz\223\330du\341\221x\33661\2105^J+I\306w\322T\227(\35\302\224\341\311~\3566\331\315\241Ch\0\276\312JLH\371\202(\334?\3\256o\217\262\264l\265\342\301\362 (348, 0, 0, 0, "\245\362\364\230I$G\244{\205\215\247=Dt{raem\337\22\310\254\347d\302[\373\37\212 \365\230Y1\14\22\234\336\300E\32\377\177\254\13\243F`\231 \370+#\231B\356JfM^\14\37\253\30\2%"\27T\15I\372F\256S\353\252\340\276\306\3225\12\200"\12jZ\V\242_\24\242\347\2\22\200\\266\5\243\240\360[\206KtT\37pK\322\220\10D\270\27^\6;\274e\34\256\22\201\315\32\16\252cq\r\205\324\230\301<\201\341\241\332Z\345\312Q\203\353]\227~\323C\353\30\223}\582\\334^.\255Y\311\377dNl\217\2149P\24t7\271\247\313\224\11\316\374M9\232!\234\2331\2101\343A\202=\177\21\271a\21\241)\245I\257\21\255\365\30O\223Nw9\16#\302'\250NX\261\305\221z\254K\207iB\242\210\257C\206\27p\2015\33\350\303\342[\244\222;\235\272\233\31\5&\24\270^\26\5o\343a\224\3610\331\35I\26\3135\364\311+\221\344\264\26%4\332\352uBK\27\216\334;\201\321(b\336\241\332~\330!\320Q\10\350\27\16\230r\5\252\247\2760\225\177,\11\2\312[\24QF\356s\232\352R\333\227(\332U\227*\30&\273\27\21\210\316\217\14\0\32\303\234\230/\261\207\335\1\236\262"\265\207\205\324\362\304\210V$w\325?>58\225\21\200q\15\243\257\310\3342Vz\223\330du\341\221x\33661\2105^J+I\306w\322T\227(\35\302\224\341\311~\3566\331\315\241Ch\0\276\312JLH\371\202(\334?\3\256o\217\262\264l\265\342\301\362",\370\250\313\242\273\274, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02347  2020   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "\270\245\11Y\311\234\351\272c\332\31\370\6\313;N\5\33m\32\307\225q\346\311\201N09`\325\30\237\320=\277\254\372/2\215\272i\205_=\304\350\266\347\242\7\277\231\253\14;!\216a*\377J\363;\362R\330\315\241\334\263\1|\243\302\34_3\227R\33\21\212\351k{\337\205\25\33=\272\34t\353\276\344\31\360\36\12\264\3367^HKX\273y\6\311\356\211;\356\7\344C\355\241\200\312A\273\356\334\306S`[\36I\227Cd^X)\266"D\201\200\33\244j\305(S\236\327\321\344\2738\330$k\345Ui\323\26\24\2308\11hT\5\320j\36=KT\342\360\351\00\200\270\301*\317&\306\6u\\350\332aHY\334\260?\11\376\276\323\307b\217R*A\352\257\213t\203&\307\342\202\206t\211\237\314\321\\344\330\345\210\222xx<\177"C\374*II\302h\366\277\261\246\274\332\245\20iv\344,\325\330\345\246\10\36"\276\35\304P\2175\332k\336\260\311F\20\221u\311lR\27\221\232\357\223@\237D\243\233r\244\5osX<\261>\353\2\267\236\204\1cu\10\251\244\326;K\320J\323\15zi\223\331\27@)P\263]-\272\37V\216\365g(\211\360Pf\7\333\236?\2\304B3\362\257J\210/\277Ti\270\365C\0\375\253\260\316\203\365%\304\355\2422W\14r\206\233\4\33\224\326\250\203\372\35\305\315\232;}\260G\310\202V\331E\326\246\324@\214\234\304\325\370\267W\3125Ei\374\30yO\\277~\12\352\356s\304\208\177c$Uc{'\344O \25\17U\3129\244\353w\356\364}\27\254,\261}~\250g\227\346\212\347\316\371;\24l7.\340\311w\236\243\336\25\264\7~\352}]\270\215\240\270\227\21\222Is\4.Q\216\375\25u\242\333\344\370w", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) D\201\200\33\244j\305(S\236\327\321\344\2738\330$k\345Ui\323\26\24\2308\11hT\5\320j\36=KT\342\360\351\00\200\270\301*\317&\306\6u\\350\332aHY\334\260?\11\376\276\323\307b\217R*A\352\257\213t\203&\307\342\202\206t\211\237\314\321\\344\330\345\210\222xx<\177 (348, 0, 0, 0, "\270\245\11Y\311\234\351\272c\332\31\370\6\313;N\5\33m\32\307\225q\346\311\201N09`\325\30\237\320=\277\254\372/2\215\272i\205_=\304\350\266\347\242\7\277\231\253\14;!\216a*\377J\363;\362R\330\315\241\334\263\1|\243\302\34_3\227R\33\21\212\351k{\337\205\25\33=\272\34t\353\276\344\31\360\36\12\264\3367^HKX\273y\6\311\356\211;\356\7\344C\355\241\200\312A\273\356\334\306S`[\36I\227Cd^X)\266"D\201\200\33\244j\305(S\236\327\321\344\2738\330$k\345Ui\323\26\24\2308\11hT\5\320j\36=KT\342\360\351\00\200\270\301*\317&\306\6u\\350\332aHY\334\260?\11\376\276\323\307b\217R*A\352\257\213t\203&\307\342\202\206t\211\237\314\321\\344\330\345\210\222xx<\177"C\374*II\302h\366\277\261\246\274\332\245\20iv\344,\325\330\345\246\10\36"\276\35\304P\2175\332k\336\260\311F\20\221u\311lR\27\221\232\357\223@\237D\243\233r\244\5osX<\261>\353\2\267\236\204\1cu\10\251\244\326;K\320J\323\15zi\223\331\27@)P\263]-\272\37V\216\365g(\211\360Pf\7\333\236?\2\304B3\362\257J\210/\277Ti\270\365C\0\375\253\260\316\203\365%\304\355\2422W\14r\206\233\4\33\224\326\250\203\372\35\305\315\232;}\260G\310\202V\331E\326\246\324@\214\234\304\325\370\267W\3125Ei\374\30yO\\277~\12\352\356s\304\208\177c$Uc{'\344O \25\17U\3129\244\353w\356\364}\27\254,\261}~\250g\227\346\212\347\316\371;\24l7.\340\311w\236\243\336\25\264\7~\352}]\270\215\240\270\227\21\222Is\4.Q\216\375\25u\242\333\344\370w", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \276\35\304P\2175\332k\336\260\311F\20\221u\311lR\27\221\232\357\223@\237D\243\233r\244\5osX<\261>\353\2\267\236\204\1cu\10\251\244\326;K\320J\323\15zi\223\331\27@)P\263]-\272\37V\216\365g(\211\360Pf\7\333\236?\2\304B3\362\257J\210/\277Ti\270\365C\0\375\253\260\316\203\365%\304\355\2422W\14r\206\233\4\33\224\326\250\203\372\35\305\315\232;}\260G\310\202V\331E\326\246\324@\214\234\304\325\370\267W\3125Ei\374\30yO\\277~\12\352\356s\304\208\177c$Uc{'\344O \25\17U\3129\244\353w\356\364}\27\254,\261}~\250g\227\346\212\347\316\371;\24l7.\340\311w\236\243\336\25\264\7~\352}]\270\215\240\270\227\21\222Is\4.Q\216\375\25u\242\333\344\370w", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 02348  2020   NtWriteFile  (348, 0, 0, 0,  (348, 0, 0, 0, "K\105\222\274R\333\367#\230\375\306F\237\22v\327\226\254\331\351yW!j\5\301\31\254\317\201\275U\273}\235S+E\203\344$\354\204\216\5\353\20h\352*.C\275\203Z\300\26M\0\373\321\221i\327\254\223\365\350\1|\336\331=\23\337\221\311`\253\277u\233nY\\306_^iSn\302t\232F\31I\377\205\24s\364\7\1\225M\0b\303\12\231\376:>B2\277WQ\310\326\332\10\355-z\317\252\33\321\10\13\256\221|\216\363\20\230xdw\307\300\373i^\314\35\217\326\350\230\5\346\313\342\200\347\345:"Nkl`\243\273\215\304S\15m\270\36\316i\335\317{5\346d\234\274\240\5\301\26\232Q\331\246\31\227cZ\307DrTE\217\222\10n\14\327\252\251{n\206gm\321\276\0\277\3<\321\20\357\260\313\35\343s\255(\270\312\377|\355k@\325\233u\5\7\366\246l\246N:-pCES\216\33W\276\177\323d\354\5LC0\17\325\234\215\335BN\26\261m3|X\207|\227\201\240!\331\260x\\261)\362\307\214\21\22mj\233\314M"\321$(\361<\267\302\317\260\12\343\334\343\236q\22\255\233G\32\342MK\322\335=\221\344\200\224\26\210\337\272k\347\345\354\352\7]B\335v\264\301\241\300\252r\374\6\36\2203\37\10v\256\246\245\255\327\244j\213\240\357\330\220\366\312\305\220d\202\316aZ+\374Z\246\32Z@\23#\273\334\267D\11\367\360\14\270\277\252\242\203?CL\361)6p\305\202\323S\4Y\226\20\247z\366\210\210:d\266dyT\320\35\227p\337HL\255\225\222\4\305\342\244,)v\25\327r\237\207\257=\226L*\21[I\222\344\347L\316\204&\204\12gpK\250\17\22.\376\374\3\242\357\355\337-\32\2673\266\324\34\264\210\272\376\240\4\20H\30o", 44032, 0x0, 0, ... {status=0x0, info=44032}, ) Nkl`\243\273\215\304S\15m\270\36\316i\335\317{5\346d\234\274\240\5\301\26\232Q\331\246\31\227cZ\307DrTE\217\222\10n\14\327\252\251{n\206gm\321\276\0\277\3<\321\20\357\260\313\35\343s\255(\270\312\377|\355k@\325\233u\5\7\366\246l\246N:-pCES\216\33W\276\177\323d\354\5LC0\17\325\234\215\335BN\26\261m3|X\207|\227\201\240!\331\260x\\261)\362\307\214\21\22mj\233\314M (348, 0, 0, 0, "K\105\222\274R\333\367#\230\375\306F\237\22v\327\226\254\331\351yW!j\5\301\31\254\317\201\275U\273}\235S+E\203\344$\354\204\216\5\353\20h\352*.C\275\203Z\300\26M\0\373\321\221i\327\254\223\365\350\1|\336\331=\23\337\221\311`\253\277u\233nY\\306_^iSn\302t\232F\31I\377\205\24s\364\7\1\225M\0b\303\12\231\376:>B2\277WQ\310\326\332\10\355-z\317\252\33\321\10\13\256\221|\216\363\20\230xdw\307\300\373i^\314\35\217\326\350\230\5\346\313\342\200\347\345:"Nkl`\243\273\215\304S\15m\270\36\316i\335\317{5\346d\234\274\240\5\301\26\232Q\331\246\31\227cZ\307DrTE\217\222\10n\14\327\252\251{n\206gm\321\276\0\277\3<\321\20\357\260\313\35\343s\255(\270\312\377|\355k@\325\233u\5\7\366\246l\246N:-pCES\216\33W\276\177\323d\354\5LC0\17\325\234\215\335BN\26\261m3|X\207|\227\201\240!\331\260x\\261)\362\307\214\21\22mj\233\314M"\321$(\361<\267\302\317\260\12\343\334\343\236q\22\255\233G\32\342MK\322\335=\221\344\200\224\26\210\337\272k\347\345\354\352\7]B\335v\264\301\241\300\252r\374\6\36\2203\37\10v\256\246\245\255\327\244j\213\240\357\330\220\366\312\305\220d\202\316aZ+\374Z\246\32Z@\23#\273\334\267D\11\367\360\14\270\277\252\242\203?CL\361)6p\305\202\323S\4Y\226\20\247z\366\210\210:d\266dyT\320\35\227p\337HL\255\225\222\4\305\342\244,)v\25\327r\237\207\257=\226L*\21[I\222\344\347L\316\204&\204\12gpK\250\17\22.\376\374\3\242\357\355\337-\32\2673\266\324\34\264\210\272\376\240\4\20H\30o", 44032, 0x0, 0, ... {status=0x0, info=44032}, ) , 44032, 0x0, 0, ... {status=0x0, info=44032}, ) == 0x0
 02349  2020   NtUnmapViewOfSection  (-1, 0x1540000, ... ) == 0x0
 02350  2020   NtSetInformationFile  (348, 1241468, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02351  2020   NtClose  (344, ... ) == 0x0
 02352  2020   NtClose  (348, ... ) == 0x0
 02353  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\explorer.exe"}, 1241288, ... ) }, 1241288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354  2020   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "explorer.exe"}, 1241288, ... ) }, 1241288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\explorer.exe"}, 1241288, ... ) }, 1241288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02356  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\explorer.exe"}, 1241288, ... ) }, 1241288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\explorer.exe"}, 1241288, ... ) }, 1241288, ... ) == 0x0
 02358  2020   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242088,  (0x80100080, {24, 0, 0x40, 0, 1242088, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02359  2020   NtQueryInformationFile  (348, 1242140, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02360  2020   NtClose  (348, ... ) == 0x0
 02361  2020   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1242088,  (0x40100080, {24, 0, 0x40, 0, 1242088, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02362  2020   NtSetInformationFile  (348, 1242140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02363  2020   NtClose  (348, ... ) == 0x0
 02364  2020   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 7, 2113568, ... 348, {status=0x0, info=1}, ) }, 7, 2113568, ... 348, {status=0x0, info=1}, ) == 0x0
 02365  2020   NtSetInformationFile  (348, 1242388, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02366  2020   NtClose  (348, ... ) == 0x0
 02367  2020   NtOpenProcess  (0x100000, {24, 0, 0x2, 0, 0, 0x0}, {868, 0}, ... 348, ) == 0x0
 02368  2020   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02369  2020   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02370  2020   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 344, ... 352, ) == 0x0
 02371  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02372  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 356, ) }, ... 356, ) == 0x0
 02373  2020   NtQueryValueKey  (356,  (356, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02374  2020   NtClose  (356, ... ) == 0x0
 02375  2020   NtQueryVolumeInformationFile  (344, 1238764, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02376  2020   NtOpenMutant  (0x120001, {24, 48, 0x0, 0, 0,  (0x120001, {24, 48, 0x0, 0, 0, "ShimCacheMutex"}, ... 356, ) }, ... 356, ) == 0x0
 02377  2020   NtWaitForSingleObject  (356, 0, {-1000000, -1}, ... ) == 0x0
 02378  2020   NtOpenSection  (0x2, {24, 48, 0x0, 0, 0,  (0x2, {24, 48, 0x0, 0, 0, "ShimSharedMemory"}, ... 360, ) }, ... 360, ) == 0x0
 02379  2020   NtMapViewOfSection  (360, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x1040000), {0, 0}, 57344, ) == 0x0
 02380  2020   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 02381  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1236696, ... ) }, 1236696, ... ) == 0x0
 02382  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 02383  2020   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 368, ) == 0x0
 02384  2020   NtClose  (364, ... ) == 0x0
 02385  2020   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1540000), 0x0, 126976, ) == 0x0
 02386  2020   NtClose  (368, ... ) == 0x0
 02387  2020   NtUnmapViewOfSection  (-1, 0x1540000, ... ) == 0x0
 02388  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237004, ... ) }, 1237004, ... ) == 0x0
 02389  2020   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 02390  2020   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 364, ) == 0x0
 02391  2020   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02392  2020   NtClose  (368, ... ) == 0x0
 02393  2020   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02394  2020   NtClose  (364, ... ) == 0x0
 02395  2020   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02396  2020   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02397  2020   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02398  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02399  2020   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 02400  2020   NtQueryInformationFile  (364, 1237020, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02401  2020   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 364, ... 368, ) == 0x0
 02402  2020   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1540000), 0x0, 1191936, ) == 0x0
 02403  2020   NtQueryInformationFile  (364, 1237120, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02404  2020   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405  2020   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02406  2020   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02407  2020   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408  2020   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 372, ) }, ... 372, ) == 0x0
 02409  2020   NtQueryValueKey  (372,  (372, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (372, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02410  2020   NtClose  (372, ... ) == 0x0
 02411  2020   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02412  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02413  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1234716, 616, BothDirectory, 1,  (372, 0, 0, 0, 1234716, 616, BothDirectory, 1, "ywkeavace.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02414  2020   NtClose  (372, ... ) == 0x0
 02415  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02416  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02417  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 1235092, ... ) }, 1235092, ... ) == 0x0
 02418  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02419  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1234520, 616, BothDirectory, 1,  (372, 0, 0, 0, 1234520, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02420  2020   NtClose  (372, ... ) == 0x0
 02421  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02422  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1234520, 616, BothDirectory, 1,  (372, 0, 0, 0, 1234520, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02423  2020   NtClose  (372, ... ) == 0x0
 02424  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02425  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02426  2020   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02427  2020   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02429  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 02430  2020   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02431  2020   NtClose  (372, ... ) == 0x0
 02432  2020   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433  2020   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ywkeavace.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02435  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02436  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 1236344, ... ) }, 1236344, ... ) == 0x0
 02437  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02438  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1235772, 616, BothDirectory, 1,  (372, 0, 0, 0, 1235772, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02439  2020   NtClose  (372, ... ) == 0x0
 02440  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02441  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1235772, 616, BothDirectory, 1,  (372, 0, 0, 0, 1235772, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02442  2020   NtClose  (372, ... ) == 0x0
 02443  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02444  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02445  2020   NtWaitForSingleObject  (356, 0, {-1000000, -1}, ... ) == 0x0
 02446  2020   NtQueryVolumeInformationFile  (344, 1237000, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02447  2020   NtQueryInformationFile  (344, 1236980, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02448  2020   NtQueryInformationFile  (344, 1237020, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02449  2020   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 02450  2020   NtUnmapViewOfSection  (-1, 0x1540000, ... ) == 0x0
 02451  2020   NtClose  (368, ... ) == 0x0
 02452  2020   NtClose  (364, ... ) == 0x0
 02453  2020   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02454  2020   NtOpenProcessToken  (-1, 0xa, ... 364, ) == 0x0
 02455  2020   NtQueryInformationToken  (364, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02456  2020   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02457  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 02458  2020   NtQueryValueKey  (368,  (368, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (368, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02459  2020   NtQueryValueKey  (368,  (368, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (368, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02460  2020   NtClose  (368, ... ) == 0x0
 02461  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02462  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 02463  2020   NtQueryValueKey  (368,  (368, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02464  2020   NtClose  (368, ... ) == 0x0
 02465  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02466  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02467  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02468  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02469  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02470  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02471  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02472  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02473  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02474  2020   NtQueryDefaultLocale  (1, 1238192, ... ) == 0x0
 02475  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 368, ) }, ... 368, ) == 0x0
 02476  2020   NtEnumerateKey  (368, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (368, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02477  2020   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 372, ) }, ... 372, ) == 0x0
 02478  2020   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02479  2020   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02480  2020   NtClose  (372, ... ) == 0x0
 02481  2020   NtEnumerateKey  (368, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02482  2020   NtClose  (368, ... ) == 0x0
 02483  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 368, ) }, ... 368, ) == 0x0
 02484  2020   NtEnumerateKey  (368, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (368, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02485  2020   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 372, ) }, ... 372, ) == 0x0
 02486  2020   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02487  2020   NtQueryValueKey  (372,  (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02488  2020   NtQueryValueKey  (372,  (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02489  2020   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02490  2020   NtClose  (372, ... ) == 0x0
 02491  2020   NtEnumerateKey  (368, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (368, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02492  2020   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 372, ) }, ... 372, ) == 0x0
 02493  2020   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02494  2020   NtQueryValueKey  (372,  (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02495  2020   NtQueryValueKey  (372,  (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02496  2020   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02497  2020   NtClose  (372, ... ) == 0x0
 02498  2020   NtEnumerateKey  (368, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (368, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02499  2020   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 372, ) }, ... 372, ) == 0x0
 02500  2020   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02501  2020   NtQueryValueKey  (372,  (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02502  2020   NtQueryValueKey  (372,  (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02503  2020   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02504  2020   NtClose  (372, ... ) == 0x0
 02505  2020   NtEnumerateKey  (368, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (368, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02506  2020   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 372, ) }, ... 372, ) == 0x0
 02507  2020   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02508  2020   NtQueryValueKey  (372,  (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02509  2020   NtQueryValueKey  (372,  (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02510  2020   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02511  2020   NtClose  (372, ... ) == 0x0
 02512  2020   NtEnumerateKey  (368, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (368, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02513  2020   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 372, ) }, ... 372, ) == 0x0
 02514  2020   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02515  2020   NtQueryValueKey  (372,  (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02516  2020   NtQueryValueKey  (372,  (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (372, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02517  2020   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02518  2020   NtClose  (372, ... ) == 0x0
 02519  2020   NtEnumerateKey  (368, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02520  2020   NtClose  (368, ... ) == 0x0
 02521  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02522  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02524  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02525  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02526  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02527  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02529  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02531  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02533  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02534  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02535  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02536  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02537  2020   NtClose  (368, ... ) == 0x0
 02538  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02540  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02541  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02542  2020   NtClose  (368, ... ) == 0x0
 02543  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02544  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02545  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02546  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02547  2020   NtClose  (368, ... ) == 0x0
 02548  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02549  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02550  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02551  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02552  2020   NtClose  (368, ... ) == 0x0
 02553  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02554  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02555  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02556  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02557  2020   NtClose  (368, ... ) == 0x0
 02558  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02559  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02560  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02561  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02562  2020   NtClose  (368, ... ) == 0x0
 02563  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02564  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02565  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02566  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02567  2020   NtClose  (368, ... ) == 0x0
 02568  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02569  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02570  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02571  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02572  2020   NtClose  (368, ... ) == 0x0
 02573  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02574  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02575  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02576  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02577  2020   NtClose  (368, ... ) == 0x0
 02578  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02579  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02580  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02581  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02582  2020   NtClose  (368, ... ) == 0x0
 02583  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02584  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02585  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02586  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02587  2020   NtClose  (368, ... ) == 0x0
 02588  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02589  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02590  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02591  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02592  2020   NtClose  (368, ... ) == 0x0
 02593  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02594  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02595  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02596  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02597  2020   NtClose  (368, ... ) == 0x0
 02598  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02599  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02600  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02601  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02602  2020   NtClose  (368, ... ) == 0x0
 02603  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02604  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02605  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02606  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02607  2020   NtClose  (368, ... ) == 0x0
 02608  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02609  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 02610  2020   NtQueryValueKey  (368,  (368, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (368, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (368, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02611  2020   NtClose  (368, ... ) == 0x0
 02612  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02613  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02614  2020   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02615  2020   NtClose  (368, ... ) == 0x0
 02616  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02617  2020   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02618  2020   NtOpenProcessToken  (-1, 0xa, ... 368, ) == 0x0
 02619  2020   NtDuplicateToken  (368, 0xc, {24, 0, 0x0, 0, 1238624, 0x0}, 0, 2, ... 372, ) == 0x0
 02620  2020   NtClose  (368, ... ) == 0x0
 02621  2020   NtAccessCheck  (1458512, 372, 0x1, 1238700, 1238752, 56, 1238732, ... (0x1), ) == 0x0
 02622  2020   NtClose  (372, ... ) == 0x0
 02623  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 372, ) }, ... 372, ) == 0x0
 02624  2020   NtQueryValueKey  (372,  (372, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (372, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02625  2020   NtClose  (372, ... ) == 0x0
 02626  2020   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 372, ) }, ... 372, ) == 0x0
 02627  2020   NtQuerySymbolicLinkObject  (372, ...  (372, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02628  2020   NtClose  (372, ... ) == 0x0
 02629  2020   NtQueryVolumeInformationFile  (344, 1236456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02630  2020   NtQueryInformationFile  (344, 1236572, 528, Name, ... {status=0x0, info=66}, ) == 0x0
 02631  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02632  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02633  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe"}, 1235744, ... ) }, 1235744, ... ) == 0x0
 02634  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02635  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1235172, 616, BothDirectory, 1,  (372, 0, 0, 0, 1235172, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02636  2020   NtClose  (372, ... ) == 0x0
 02637  2020   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02638  2020   NtQueryDirectoryFile  (372, 0, 0, 0, 1235172, 616, BothDirectory, 1,  (372, 0, 0, 0, 1235172, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02639  2020   NtClose  (372, ... ) == 0x0
 02640  2020   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02641  2020   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02642  2020   NtQueryInformationFile  (344, 1238612, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02643  2020   NtCreateSection  (0xf0005, 0x0, {228352, 0}, 2, 134217728, 344, ... 372, ) == 0x0
 02644  2020   NtMapViewOfSection  (372, -1, (0x0), 0, 0, {0, 0}, 228352, 1, 0, 2, ... (0x1540000), {0, 0}, 229376, ) == 0x0
 02645  2020   NtClose  (372, ... ) == 0x0
 02646  2020   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02647  2020   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 02648  2020   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02649  2020   NtClose  (372, ... ) == 0x0
 02650  2020   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 372, ) }, ... 372, ) == 0x0
 02651  2020   NtOpenKey  (0x20019, {24, 372, 0x40, 0, 0,  (0x20019, {24, 372, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 368, ) }, ... 368, ) == 0x0
 02652  2020   NtClose  (372, ... ) == 0x0
 02653  2020   NtQueryValueKey  (368,  (368, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02654  2020   NtQueryValueKey  (368,  (368, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (368, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02655  2020   NtClose  (368, ... ) == 0x0
 02656  2020   NtUnmapViewOfSection  (-1, 0x1540000, ... ) == 0x0
 02657  2020   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 17104896, 4096, ) == 0x0
 02658  2020   NtAllocateVirtualMemory  (-1, 17104896, 0, 4096, 4096, 4, ... 17104896, 4096, ) == 0x0
 02659  2020   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 02660  2020   NtQueryValueKey  (368,  (368, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02661  2020   NtClose  (368, ... ) == 0x0
 02662  2020   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02663  2020   NtQueryInformationToken  (364, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02664  2020   NtQueryInformationToken  (364, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02665  2020   NtClose  (364, ... ) == 0x0
 02666  2020   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02667  2020   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ywkeavace.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02668  2020   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02669  2020   NtCreateProcessEx  (1240536, 2035711, 0, -1, 4, 352, 0, 0, 0, ... ) == 0x0
 02670  2020   NtSetInformationProcess  (364, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 02671  2020   NtQueryInformationProcess  (364, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=748,ParentPid=868,}, 0x0, ) == 0x0
 02672  2020   NtReadVirtualMemory  (364, 0x7ffd6008, 4, ...  (364, 0x7ffd6008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02673  2020   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ywkeavace.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02674  2020   NtAllocateVirtualMemory  (-1, 1462272, 0, 8192, 4096, 4, ... 1462272, 8192, ) == 0x0
 02675  2020   NtReadVirtualMemory  (364, 0x400000, 4096, ...  (364, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\7\0\357v\24:\0\0\0\0\0\0\0\0\340\0\17\1\13\1\1)\0 \14\0\0d\13\0\0\0\0\0\362\22\0\0\0\20\0\0\0\200\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\1\0\10\0\4\0\0\0\0\0\0\0\0\260G\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\20\0\0\0\20\0\0\3254\16rO\36\10\4\0\0\0\0\0\0\0\0\11iG\0\254E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\235\256G\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02676  2020   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02677  2020   NtQueryInformationProcess  (364, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=748,ParentPid=868,}, 0x0, ) == 0x0
 02678  2020   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1239488, ... ) }, 1239488, ... ) == 0x0
 02679  2020   NtAllocateVirtualMemory  (-1, 0, 0, 2420, 4096, 4, ... 22282240, 4096, ) == 0x0
 02680  2020   NtAllocateVirtualMemory  (364, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02681  2020   NtWriteVirtualMemory  (364, 0x10000,  (364, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02682  2020   NtAllocateVirtualMemory  (364, 0, 0, 2420, 4096, 4, ... 131072, 4096, ) == 0x0
 02683  2020   NtWriteVirtualMemory  (364, 0x20000,  (364, 0x20000, "\0\20\0\0t\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\364\3\366\3\230\4\0\0B\0D\0\220\10\0\0t\0v\0\324\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\2\0L\11\0\0\36\0 \0P\11\0\0\0\0\2\0p\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2420, ... 0x0, ) , 2420, ... 0x0, ) == 0x0
 02684  2020   NtWriteVirtualMemory  (364, 0x7ffd6010,  (364, 0x7ffd6010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02685  2020   NtWriteVirtualMemory  (364, 0x7ffd61e8,  (364, 0x7ffd61e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02686  2020   NtFreeVirtualMemory  (-1, (0x1540000), 0, 32768, ... (0x1540000), 4096, ) == 0x0
 02687  2020   NtAllocateVirtualMemory  (364, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02688  2020   NtAllocateVirtualMemory  (364, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02689  2020   NtProtectVirtualMemory  (364, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02690  2020   NtCreateThread  (0x1f03ff, 0x0, 364, 1240544, 1240208, 1, ... 368, {748, 1300}, ) == 0x0
 02691  2020   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 2089879886, 20773, 1241136, 1242076}  (24, {168, 196, new_msg, 0, 2089879886, 20773, 1241136, 1242076} "\0\0\0\0\0\0\1\0\4\364\22\0\10\0\0\0o\1\0\0p\1\0\0\354\2\0\0\24\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\334\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\22\0\0\0\0\0" ... {168, 196, reply, 0, 868, 2020, 75668, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0l\1\0\0p\1\0\0\354\2\0\0\24\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\334\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\22\0\0\0\0\0" )  ... {168, 196, reply, 0, 868, 2020, 75668, 0}  (24, {168, 196, new_msg, 0, 2089879886, 20773, 1241136, 1242076} "\0\0\0\0\0\0\1\0\4\364\22\0\10\0\0\0o\1\0\0p\1\0\0\354\2\0\0\24\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\334\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\22\0\0\0\0\0" ... {168, 196, reply, 0, 868, 2020, 75668, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0l\1\0\0p\1\0\0\354\2\0\0\24\5\0\0\0\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\334\375\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\22\0\0\0\0\0" )  ) == 0x0
 02692  2020   NtResumeThread  (368, ... 1, ) == 0x0
 02693  2020   NtClose  (344, ... ) == 0x0
 02694  2020   NtClose  (352, ... ) == 0x0
 02695  2020   NtDelayExecution  (0, {-2000000, -1}, ... ) == 0x0
 02696  2020   NtClose  (364, ... ) == 0x0
 02697  2020   NtClose  (368, ... ) == 0x0
 02698  2020   NtTerminateProcess  (0, 0, ...
 00939   928   NtWaitForMultipleObjects  ... ) == 0xc0
 02698  2020   NtTerminateProcess  ... ) == 0x0
 02699  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 02700  2020   NtClose  (336, ... ) == 0x0
 02701  2020   NtClose  (324, ... ) == 0x0
 02702  2020   NtClose  (328, ... ) == 0x0
 02703  2020   NtClose  (332, ... ) == 0x0
 02704  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 02705  2020   NtFreeVirtualMemory  (-1, (0xff0000), 0, 32768, ... (0xff0000), 65536, ) == 0x0
 02706  2020   NtClose  (260, ... ) == 0x0
 02707  2020   NtClose  (264, ... ) == 0x0
 02708  2020   NtClose  (272, ... ) == 0x0
 02709  2020   NtClose  (268, ... ) == 0x0
 02710  2020   NtClose  (276, ... ) == 0x0
 02711  2020   NtClose  (280, ... ) == 0x0
 02712  2020   NtClose  (284, ... ) == 0x0
 02713  2020   NtClose  (300, ... ) == 0x0
 02714  2020   NtClose  (296, ... ) == 0x0
 02715  2020   NtClose  (292, ... ) == 0x0
 02716  2020   NtClose  (288, ... ) == 0x0
 02717  2020   NtUserGetAtomName  (49211, 1241344, ... ) == 0xf
 02718  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02719  2020   NtUserGetAtomName  (49213, 1241344, ... ) == 0xd
 02720  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02721  2020   NtUserGetAtomName  (49215, 1241344, ... ) == 0x10
 02722  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02723  2020   NtUserGetAtomName  (49217, 1241344, ... ) == 0x12
 02724  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02725  2020   NtUserGetAtomName  (49219, 1241344, ... ) == 0xd
 02726  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02727  2020   NtUserGetAtomName  (49221, 1241344, ... ) == 0xb
 02728  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02729  2020   NtUserGetAtomName  (49223, 1241344, ... ) == 0xf
 02730  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02731  2020   NtUserGetAtomName  (49225, 1241344, ... ) == 0xd
 02732  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02733  2020   NtUserGetAtomName  (49227, 1241344, ... ) == 0x11
 02734  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02735  2020   NtUserGetAtomName  (49229, 1241344, ... ) == 0xf
 02736  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02737  2020   NtUserGetAtomName  (49231, 1241344, ... ) == 0x11
 02738  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02739  2020   NtUserGetAtomName  (49233, 1241344, ... ) == 0xf
 02740  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02741  2020   NtUserGetAtomName  (49235, 1241344, ... ) == 0xc
 02742  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02743  2020   NtUserGetAtomName  (49237, 1241336, ... ) == 0xd
 02744  2020   NtUserUnregisterClass  (1241396, 1560870912, 1241384, ... ) == 0x1
 02745  2020   NtUserGetAtomName  (49239, 1241336, ... ) == 0x11
 02746  2020   NtUserUnregisterClass  (1241396, 1560870912, 1241384, ... ) == 0x1
 02747  2020   NtUserGetAtomName  (49241, 1241344, ... ) == 0xc
 02748  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02749  2020   NtUserGetAtomName  (49243, 1241344, ... ) == 0xe
 02750  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02751  2020   NtUserGetAtomName  (49245, 1241344, ... ) == 0x8
 02752  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02753  2020   NtUserGetAtomName  (49247, 1241344, ... ) == 0xd
 02754  2020   NtUserUnregisterClass  (1241404, 1560870912, 1241392, ... ) == 0x1
 02755  2020   NtUnmapViewOfSection  (-1, 0x1320000, ... ) == 0x0
 02756  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 02757  2020   NtFreeVirtualMemory  (-1, (0xfb0000), 0, 32768, ... (0xfb0000), 65536, ) == 0x0
 02758  2020   NtClose  (184, ... ) == 0x0
 02759  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 02760  2020   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02761  2020   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02762  2020   NtUnmapViewOfSection  (-1, 0xf90000, ... ) == 0x0
 02763  2020   NtClose  (180, ... ) == 0x0
 02764  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02765  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 02766  2020   NtClose  (156, ... ) == 0x0
 02767  2020   NtClose  (152, ... ) == 0x0
 02768  2020   NtClose  (160, ... ) == 0x0
 02769  2020   NtUserGetAtomName  (49211, 1241376, ... ) == 0xf
 02770  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02771  2020   NtUserGetAtomName  (49213, 1241376, ... ) == 0xd
 02772  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02773  2020   NtUserGetAtomName  (49215, 1241376, ... ) == 0x10
 02774  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02775  2020   NtUserGetAtomName  (49217, 1241376, ... ) == 0x12
 02776  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02777  2020   NtUserGetAtomName  (49219, 1241376, ... ) == 0xd
 02778  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02779  2020   NtUserGetAtomName  (49221, 1241376, ... ) == 0xb
 02780  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02781  2020   NtUserGetAtomName  (49223, 1241376, ... ) == 0xf
 02782  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02783  2020   NtUserGetAtomName  (49225, 1241376, ... ) == 0xd
 02784  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02785  2020   NtUserGetAtomName  (49227, 1241376, ... ) == 0x11
 02786  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02787  2020   NtUserGetAtomName  (49229, 1241376, ... ) == 0xf
 02788  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02789  2020   NtUserGetAtomName  (49231, 1241376, ... ) == 0x11
 02790  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02791  2020   NtUserGetAtomName  (49233, 1241376, ... ) == 0xf
 02792  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02793  2020   NtUserGetAtomName  (49235, 1241376, ... ) == 0xc
 02794  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02795  2020   NtUserGetAtomName  (49237, 1241368, ... ) == 0xd
 02796  2020   NtUserUnregisterClass  (1241428, 2000486400, 1241416, ... ) == 0x1
 02797  2020   NtUserGetAtomName  (49239, 1241368, ... ) == 0x11
 02798  2020   NtUserUnregisterClass  (1241428, 2000486400, 1241416, ... ) == 0x1
 02799  2020   NtUserGetAtomName  (49241, 1241376, ... ) == 0xc
 02800  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02801  2020   NtUserGetAtomName  (49243, 1241376, ... ) == 0xe
 02802  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02803  2020   NtUserGetAtomName  (49245, 1241376, ... ) == 0x8
 02804  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02805  2020   NtUserGetAtomName  (49247, 1241376, ... ) == 0xd
 02806  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02807  2020   NtUserGetAtomName  (49175, 1241376, ... ) == 0x6
 02808  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02809  2020   NtUserGetAtomName  (49177, 1241376, ... ) == 0x6
 02810  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02811  2020   NtUserGetAtomName  (49176, 1241376, ... ) == 0x4
 02812  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02813  2020   NtUserGetAtomName  (49178, 1241376, ... ) == 0x7
 02814  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02815  2020   NtUserGetAtomName  (49180, 1241376, ... ) == 0x8
 02816  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02817  2020   NtUserGetAtomName  (49182, 1241376, ... ) == 0x9
 02818  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02819  2020   NtUserGetAtomName  (49179, 1241368, ... ) == 0x9
 02820  2020   NtUserUnregisterClass  (1241428, 2000486400, 1241416, ... ) == 0x1
 02821  2020   NtUserGetAtomName  (49256, 1241376, ... ) == 0x7
 02822  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02823  2020   NtUserGetAtomName  (49258, 1241376, ... ) == 0xd
 02824  2020   NtUserUnregisterClass  (1241436, 2000486400, 1241424, ... ) == 0x1
 02825  2020   NtUnmapViewOfSection  (-1, 0xfa0000, ... ) == 0x0
 02826  2020   NtDeviceIoControlFile  (92, 96, 0x0, 0x12f244, 0x22415c,  (92, 96, 0x0, 0x12f244, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#d\0\0\0\0\0\0\0\10 \22\1\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#d\0\0\0\0\0\0\0\10 \22\1\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (92, 96, 0x0, 0x12f244, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#d\0\0\0\0\0\0\0\10 \22\1\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#d\0\0\0\0\0\0\0\10 \22\1\306\205\337w", ) , ) == 0x0
 02827  2020   NtDeviceIoControlFile  (92, 96, 0x0, 0x12f20c, 0x228168,  (92, 96, 0x0, 0x12f20c, 0x228168, "d\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02828  2020   NtDeviceIoControlFile  (92, 96, 0x0, 0x12f244, 0x22415c,  (92, 96, 0x0, 0x12f244, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\200\0\0\0\0\0\0\0\10 \22\1\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\200\0\0\0\0\0\0\0\10 \22\1\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (92, 96, 0x0, 0x12f244, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\200\0\0\0\0\0\0\0\10 \22\1\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\200\0\0\0\0\0\0\0\10 \22\1\306\205\337w", ) , ) == 0x0
 02829  2020   NtDeviceIoControlFile  (92, 96, 0x0, 0x12f20c, 0x228168,  (92, 96, 0x0, 0x12f20c, 0x228168, "\200\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02830  2020   NtWaitForSingleObject  (236, 0, 0x0, ... ) == 0x0
 02831  2020   NtClearEvent  (236, ... ) == 0x0
 02832  2020   NtSetEvent  (236, ... 0x0, ) == 0x0
 02833  2020   NtClose  (236, ... ) == 0x0
 02834  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 02835  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02836  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 02837  2020   NtClose  (84, ... ) == 0x0
 02838  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02839  2020   NtUnmapViewOfSection  (-1, 0xe10000, ... ) == 0x0
 02840  2020   NtClose  (60, ... ) == 0x0
 02841  2020   NtGdiDeleteObjectApp  (1594885482, ... ) == 0x1
 02842  2020   NtUserGetProcessWindowStation  (... ) == 0x20
 02843  2020   NtUserBuildNameList  (32, 522, 1394880, 1241620, ... ) == 0x0
 02844  2020   NtUserGetProcessWindowStation  (... ) == 0x20
 02845  2020   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x3c
 02846  2020   NtUserBuildHwndList  (60, 0, 0, 0, 64, ... (0x1a00f4, 0x5009e, 0x400fa, 0x10074, 0x10070, 0x10080, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x1401b6, 0xc01d2, 0xd0102, 0x500a2, 0xd011a, 0x10090, 0x100d0, 0x200b0, 0x100cc, 0x80144, 0x13010c, 0x16012c, 0x7015a, 0xd01c8, 0xe01ac, 0xc01d0, 0xa01cc, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 62, ) == 0x0
 02847  2020   NtUserValidateHandleSecure  (1704180, ... ) == 0x1
 02848  2020   NtUserQueryWindow  (1704180, 0, ... ) == 0x6b8
 02849  2020   NtUserQueryWindow  (1704180, 1, ... ) == 0x6d4
 02850  2020   NtUserValidateHandleSecure  (1704180, ... ) == 0x1
 02851  2020   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02852  2020   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 02853  2020   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 02854  2020   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02855  2020   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02856  2020   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 02857  2020   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 02858  2020   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02859  2020   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 02860  2020   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 02861  2020   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 02862  2020   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 02863  2020   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 02864  2020   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 02865  2020   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 02866  2020   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 02867  2020   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 02868  2020   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 02869  2020   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 02870  2020   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 02871  2020   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 02872  2020   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 02873  2020   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 02874  2020   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 02875  2020   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 02876  2020   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 02877  2020   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 02878  2020   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 02879  2020   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 02880  2020   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 02881  2020   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 02882  2020   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 02883  2020   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 02884  2020   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 02885  2020   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 02886  2020   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 02887  2020   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 02888  2020   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 02889  2020   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 02890  2020   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 02891  2020   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 02892  2020   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 02893  2020   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 02894  2020   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 02895  2020   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 02896  2020   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02897  2020   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 02898  2020   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 02899  2020   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02900  2020   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02901  2020   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 02902  2020   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 02903  2020   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02904  2020   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02905  2020   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 02906  2020   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 02907  2020   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02908  2020   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02909  2020   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 02910  2020   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 02911  2020   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02912  2020   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02913  2020   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 02914  2020   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 02915  2020   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02916  2020   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02917  2020   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 02918  2020   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 02919  2020   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02920  2020   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02921  2020   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 02922  2020   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 02923  2020   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02924  2020   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 02925  2020   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 02926  2020   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 02927  2020   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 02928  2020   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 02929  2020   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 02930  2020   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 02931  2020   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 02932  2020   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 02933  2020   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 02934  2020   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 02935  2020   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 02936  2020   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 02937  2020   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 02938  2020   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 02939  2020   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 02940  2020   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 02941  2020   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 02942  2020   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 02943  2020   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 02944  2020   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 02945  2020   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 02946  2020   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 02947  2020   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 02948  2020   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 02949  2020   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 02950  2020   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 02951  2020   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 02952  2020   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 02953  2020   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 02954  2020   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 02955  2020   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02956  2020   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 02957  2020   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 02958  2020   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02959  2020   NtUserValidateHandleSecure  (1311158, ... ) == 0x1
 02960  2020   NtUserQueryWindow  (1311158, 0, ... ) == 0x6b8
 02961  2020   NtUserQueryWindow  (1311158, 1, ... ) == 0x6d4
 02962  2020   NtUserValidateHandleSecure  (1311158, ... ) == 0x1
 02963  2020   NtUserBuildHwndList  (0, 1311158, 1, 0, 64, ... (0xf0192, 0x80198, 0x1, ), 3, ) == 0x0
 02964  2020   NtUserValidateHandleSecure  (983442, ... ) == 0x1
 02965  2020   NtUserQueryWindow  (983442, 0, ... ) == 0x6b8
 02966  2020   NtUserQueryWindow  (983442, 1, ... ) == 0x6d4
 02967  2020   NtUserValidateHandleSecure  (524696, ... ) == 0x1
 02968  2020   NtUserQueryWindow  (524696, 0, ... ) == 0x6b8
 02969  2020   NtUserQueryWindow  (524696, 1, ... ) == 0x6d4
 02970  2020   NtUserValidateHandleSecure  (786898, ... ) == 0x1
 02971  2020   NtUserQueryWindow  (786898, 0, ... ) == 0x6b8
 02972  2020   NtUserQueryWindow  (786898, 1, ... ) == 0x6d4
 02973  2020   NtUserValidateHandleSecure  (786898, ... ) == 0x1
 02974  2020   NtUserValidateHandleSecure  (852226, ... ) == 0x1
 02975  2020   NtUserQueryWindow  (852226, 0, ... ) == 0x6b8
 02976  2020   NtUserQueryWindow  (852226, 1, ... ) == 0x6d4
 02977  2020   NtUserValidateHandleSecure  (852226, ... ) == 0x1
 02978  2020   NtUserBuildHwndList  (0, 852226, 1, 0, 64, ... (0x700fc, 0xc0114, 0x1, ), 3, ) == 0x0
 02979  2020   NtUserValidateHandleSecure  (459004, ... ) == 0x1
 02980  2020   NtUserQueryWindow  (459004, 0, ... ) == 0x6b8
 02981  2020   NtUserQueryWindow  (459004, 1, ... ) == 0x6d4
 02982  2020   NtUserValidateHandleSecure  (786708, ... ) == 0x1
 02983  2020   NtUserQueryWindow  (786708, 0, ... ) == 0x6b8
 02984  2020   NtUserQueryWindow  (786708, 1, ... ) == 0x6d4
 02985  2020   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02986  2020   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 02987  2020   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 02988  2020   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02989  2020   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 02990  2020   NtUserQueryWindow  (852250, 0, ... ) == 0x6b8
 02991  2020   NtUserQueryWindow  (852250, 1, ... ) == 0x6d4
 02992  2020   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 02993  2020   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02994  2020   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 02995  2020   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 02996  2020   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02997  2020   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02998  2020   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 02999  2020   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 03000  2020   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 03001  2020   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 03002  2020   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 03003  2020   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 03004  2020   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 03005  2020   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 03006  2020   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 03007  2020   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 03008  2020   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 03009  2020   NtUserValidateHandleSecure  (524612, ... ) == 0x1
 03010  2020   NtUserQueryWindow  (524612, 0, ... ) == 0x6c8
 03011  2020   NtUserQueryWindow  (524612, 1, ... ) == 0x6d0
 03012  2020   NtUserValidateHandleSecure  (524612, ... ) == 0x1
 03013  2020   NtUserValidateHandleSecure  (1245452, ... ) == 0x1
 03014  2020   NtUserQueryWindow  (1245452, 0, ... ) == 0x5e8
 03015  2020   NtUserQueryWindow  (1245452, 1, ... ) == 0x534
 03016  2020   NtUserValidateHandleSecure  (1245452, ... ) == 0x1
 03017  2020   NtUserValidateHandleSecure  (1442092, ... ) == 0x1
 03018  2020   NtUserQueryWindow  (1442092, 0, ... ) == 0xa4
 03019  2020   NtUserQueryWindow  (1442092, 1, ... ) == 0x61c
 03020  2020   NtUserValidateHandleSecure  (1442092, ... ) == 0x1
 03021  2020   NtUserValidateHandleSecure  (459098, ... ) == 0x1
 03022  2020   NtUserQueryWindow  (459098, 0, ... ) == 0x4b0
 03023  2020   NtUserQueryWindow  (459098, 1, ... ) == 0x780
 03024  2020   NtUserValidateHandleSecure  (459098, ... ) == 0x1
 03025  2020   NtUserValidateHandleSecure  (852424, ... ) == 0x1
 03026  2020   NtUserQueryWindow  (852424, 0, ... ) == 0x6b8
 03027  2020   NtUserQueryWindow  (852424, 1, ... ) == 0x6d4
 03028  2020   NtUserValidateHandleSecure  (852424, ... ) == 0x1
 03029  2020   NtUserValidateHandleSecure  (917932, ... ) == 0x1
 03030  2020   NtUserQueryWindow  (917932, 0, ... ) == 0x6b8
 03031  2020   NtUserQueryWindow  (917932, 1, ... ) == 0x6d4
 03032  2020   NtUserValidateHandleSecure  (917932, ... ) == 0x1
 03033  2020   NtUserValidateHandleSecure  (786896, ... ) == 0x1
 03034  2020   NtUserQueryWindow  (786896, 0, ... ) == 0x6b8
 03035  2020   NtUserQueryWindow  (786896, 1, ... ) == 0x6d4
 03036  2020   NtUserValidateHandleSecure  (786896, ... ) == 0x1
 03037  2020   NtUserValidateHandleSecure  (655820, ... ) == 0x1
 03038  2020   NtUserQueryWindow  (655820, 0, ... ) == 0x6b8
 03039  2020   NtUserQueryWindow  (655820, 1, ... ) == 0x6d4
 03040  2020   NtUserValidateHandleSecure  (655820, ... ) == 0x1
 03041  2020   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 03042  2020   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 03043  2020   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 03044  2020   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 03045  2020   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 03046  2020   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 03047  2020   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 03048  2020   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 03049  2020   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 03050  2020   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 03051  2020   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 03052  2020   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 03053  2020   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 03054  2020   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 03055  2020   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 03056  2020   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 03057  2020   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 03058  2020   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 03059  2020   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 03060  2020   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 03061  2020   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 03062  2020   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 03063  2020   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 03064  2020   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 03065  2020   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 03066  2020   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 03067  2020   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 03068  2020   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 03069  2020   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 03070  2020   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 03071  2020   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 03072  2020   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 03073  2020   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 03074  2020   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 03075  2020   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 03076  2020   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 03077  2020   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 03078  2020   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 03079  2020   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 03080  2020   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 03081  2020   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 03082  2020   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 03083  2020   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 03084  2020   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 03085  2020   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 03086  2020   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 03087  2020   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 03088  2020   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 03089  2020   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 03090  2020   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 03091  2020   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 03092  2020   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 03093  2020   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 03094  2020   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 03095  2020   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 03096  2020   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 03097  2020   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 03098  2020   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 03099  2020   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 03100  2020   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 03101  2020   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 03102  2020   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 03103  2020   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 03104  2020   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 03105  2020   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 03106  2020   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 03107  2020   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 03108  2020   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 03109  2020   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 03110  2020   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 03111  2020   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 03112  2020   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 03113  2020   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 03114  2020   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 03115  2020   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 03116  2020   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 03117  2020   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 03118  2020   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 03119  2020   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 03120  2020   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 03121  2020   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 03122  2020   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 03123  2020   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 03124  2020   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 03125  2020   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 03126  2020   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 03127  2020   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 03128  2020   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 03129  2020   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 03130  2020   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 03131  2020   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 03132  2020   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 03133  2020   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 03134  2020   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 03135  2020   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 03136  2020   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 03137  2020   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 03138  2020   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 03139  2020   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 03140  2020   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 03141  2020   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 03142  2020   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 03143  2020   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 03144  2020   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 03145  2020   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 03146  2020   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 03147  2020   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 03148  2020   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 03149  2020   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 03150  2020   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 03151  2020   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 03152  2020   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 03153  2020   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 03154  2020   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 03155  2020   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 03156  2020   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 03157  2020   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 03158  2020   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 03159  2020   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 03160  2020   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 03161  2020   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 03162  2020   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 03163  2020   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 03164  2020   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 03165  2020   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 03166  2020   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 03167  2020   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 03168  2020   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 03169  2020   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 03170  2020   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 03171  2020   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 03172  2020   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 03173  2020   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 03174  2020   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 03175  2020   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 03176  2020   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 03177  2020   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03178  2020   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 03179  2020   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 03180  2020   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03181  2020   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03182  2020   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 03183  2020   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 03184  2020   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03185  2020   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03186  2020   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 03187  2020   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 03188  2020   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03189  2020   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03190  2020   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 03191  2020   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 03192  2020   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03193  2020   NtUserCloseDesktop  (60, ... ) == 0x1
 03194  2020   NtUserGetProcessWindowStation  (... ) == 0x20
 03195  2020   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03196  2020   NtUserGetProcessWindowStation  (... ) == 0x20
 03197  2020   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03198  2020   NtGdiDeleteObjectApp  (822740197, ... ) == 0x1
 03199  2020   NtGdiDeleteObjectApp  (-2062940241, ... ) == 0x1
 03200  2020   NtClose  (56, ... ) == 0x0
 03201  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 03202  2020   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03203  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 03204  2020   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 03205  2020   NtQueryVirtualMemory  (-1, 0x42573c, Basic, 28, ... {BaseAddress=0x425000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x3000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 03206  2020   NtClose  (44, ... ) == 0x0
 03207  2020   NtClose  (92, ... ) == 0x0
 03208  2020   NtFreeVirtualMemory  (-1, (0x1050000), 4096, 32768, ... (0x1050000), 4096, ) == 0x0
 03209  2020   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 92, ) }, ... 92, ) == 0x0
 03210  2020   NtQueryValueKey  (92,  (92, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03211  2020   NtClose  (92, ... ) == 0x0
 03212  2020   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 1418128, 0, 0}  (24, {20, 48, new_msg, 0, 0, 1418128, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 868, 2020, 75708, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 868, 2020, 75708, 0}  (24, {20, 48, new_msg, 0, 0, 1418128, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 868, 2020, 75708, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03213  2020   NtTerminateProcess  (-1, 0, ...
NtAddAtom(>)	1	NtGdiHfontCreate(>)	2	NtAccessCheck(>)	5	NtUserRegisterWindowMessage(>)	20
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetStockObject(>)	5	NtWaitForSingleObject(>)	20
NtCreateMutant(>)	1	NtOpenEvent(>)	2	NtUserGetProcessWindowStation(>)	5	NtQueryInformationFile(>)	21
NtCreateProcessEx(>)	1	NtOpenSymbolicLinkObject(>)	2	NtOpenThreadToken(>)	6	NtQueryInformationProcess(>)	22
NtEnumerateValueKey(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQueryDirectoryFile(>)	7	NtCreateEvent(>)	26
NtFsControlFile(>)	1	NtReadVirtualMemory(>)	2	NtSetEvent(>)	7	NtOpenProcessTokenEx(>)	30
NtGdiCreateBitmap(>)	1	NtSetEventBoostPriority(>)	2	NtUserBuildHwndList(>)	7	NtOpenThreadTokenEx(>)	30
NtGdiCreatePatternBrushInternal(>)	1	NtClearEvent(>)	3	NtOpenMutant(>)	8	NtCreateSection(>)	31
NtGdiInit(>)	1	NtContinue(>)	3	NtQueryVolumeInformationFile(>)	8	NtFreeVirtualMemory(>)	34
NtGdiQueryFontAssocInfo(>)	1	NtCreateThread(>)	3	NtCreateKey(>)	9	NtQueryInformationToken(>)	37
NtGdiSelectBitmap(>)	1	NtDelayExecution(>)	3	NtOpenProcessToken(>)	9	NtQuerySystemInformation(>)	42
NtOpenKeyedEvent(>)	1	NtDuplicateObject(>)	3	NtSetInformationProcess(>)	9	NtOpenSection(>)	45
NtQueryEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserCallNoParam(>)	9	NtUserGetAtomName(>)	47
NtQueryInformationJobObject(>)	1	NtGdiDeleteObjectApp(>)	3	NtQueryDefaultUILanguage(>)	10	NtUserUnregisterClass(>)	47
NtQueryInstallUILanguage(>)	1	NtNotifyChangeKey(>)	3	NtReleaseMutant(>)	10	NtUserFindExistingCursorIcon(>)	50
NtQueryObject(>)	1	NtOpenProcess(>)	3	NtUserGetWindowDC(>)	10	NtOpenFile(>)	57
NtQueryTimerResolution(>)	1	NtReleaseSemaphore(>)	3	NtCreateSemaphore(>)	11	NtQueryVirtualMemory(>)	58
NtReadFile(>)	1	NtResumeThread(>)	3	NtEnumerateKey(>)	12	NtUserRegisterClassExWOW(>)	61
NtSecureConnectPort(>)	1	NtSetInformationObject(>)	3	NtUserCallOneParam(>)	12	NtMapViewOfSection(>)	63
NtTerminateThread(>)	1	NtTerminateProcess(>)	3	NtUserSystemParametersInfo(>)	12	NtQueryAttributesFile(>)	74
NtUserBuildNameList(>)	1	NtTestAlert(>)	3	NtSetInformationThread(>)	13	NtFlushInstructionCache(>)	132
NtUserCloseDesktop(>)	1	NtUserOpenDesktop(>)	3	NtQueryDebugFilterState(>)	17	NtAllocateVirtualMemory(>)	144
NtUserGetDC(>)	1	NtWaitForMultipleObjects(>)	3	NtDeviceIoControlFile(>)	18	NtUserValidateHandleSecure(>)	154
NtUserGetGUIThreadInfo(>)	1	NtQueryInformationThread(>)	4	NtQuerySection(>)	18	NtUserQueryWindow(>)	188
NtUserGetObjectInformation(>)	1	NtQueryPerformanceCounter(>)	4	NtUnmapViewOfSection(>)	18	NtProtectVirtualMemory(>)	271
NtUserGetThreadDesktop(>)	1	NtRegisterThreadTerminatePort(>)	4	NtRequestWaitReplyPort(>)	19	NtOpenKey(>)	306
NtConnectPort(>)	2	NtSetValueKey(>)	4	NtCreateFile(>)	20	NtClose(>)	348
NtDuplicateToken(>)	2	NtWriteFile(>)	4	NtQueryDefaultLocale(>)	20	NtQueryValueKey(>)	424
NtGdiCreateSolidBrush(>)	2	NtWriteVirtualMemory(>)	4	NtSetInformationFile(>)	20