Summary:





NtAccessCheck(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtDuplicateObject(>)  7 
NtContinue(>)  29 


NtEnumerateValueKey(>)  1 
NtNotifyChangeKey(>)  2 
NtOpenProcessTokenEx(>)  8 
NtRequestWaitReplyPort(>)  29 


NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenThreadTokenEx(>)  8 
NtDelayExecution(>)  31 


NtGdiCreateBitmap(>)  1 
NtQueryInstallUILanguage(>)  2 
NtResumeThread(>)  8 
NtOpenSection(>)  31 


NtGdiInit(>)  1 
NtQueryVirtualMemory(>)  2 
NtCreateThread(>)  9 
NtCreateEvent(>)  32 


NtGdiQueryFontAssocInfo(>)  1 
NtUserCallOneParam(>)  2 
NtTestAlert(>)  9 
NtUserGetClassInfo(>)  37 


NtGdiSelectBitmap(>)  1 
NtUserGetDC(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtReleaseMutant(>)  38 


NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQueryInformationThread(>)  10 
NtProtectVirtualMemory(>)  41 


NtOpenMutant(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtRegisterThreadTerminatePort(>)  10 
NtDeviceIoControlFile(>)  42 


NtOpenProcess(>)  1 
NtOpenThreadToken(>)  3 
NtSetInformationFile(>)  11 
NtOpenFile(>)  42 


NtOpenSymbolicLinkObject(>)  1 
NtQueryInformationProcess(>)  3 
NtUserSystemParametersInfo(>)  11 
NtMapViewOfSection(>)  47 


NtQueryEvent(>)  1 
NtQueryPerformanceCounter(>)  3 
NtCreateFile(>)  12 
NtUserFindExistingCursorIcon(>)  48 


NtQueryObject(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQueryInformationFile(>)  12 
NtQueryAttributesFile(>)  52 


NtQuerySymbolicLinkObject(>)  1 
NtReleaseSemaphore(>)  3 
NtQueryInformationToken(>)  12 
NtWaitForSingleObject(>)  54 


NtQuerySystemTime(>)  1 
NtSetInformationObject(>)  3 
NtQuerySection(>)  12 
NtAllocateVirtualMemory(>)  58 


NtSecureConnectPort(>)  1 
NtCallbackReturn(>)  4 
NtSetEventBoostPriority(>)  14 
NtUserFindWindowEx(>)  60 


NtSetInformationThread(>)  1 
NtOpenEvent(>)  4 
NtSetValueKey(>)  14 
NtUserRegisterClassExWOW(>)  63 


NtTerminateThread(>)  1 
NtOpenProcessToken(>)  4 
NtFlushInstructionCache(>)  15 
NtOpenKey(>)  134 


NtUserCallNoParam(>)  1 
NtQueryDefaultLocale(>)  4 
NtCreateKey(>)  16 
NtClose(>)  208 


NtUserGetThreadDesktop(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtQueryDebugFilterState(>)  20 
NtQueryValueKey(>)  234 


NtUserGetThreadState(>)  1 
NtFreeVirtualMemory(>)  5 
NtUnmapViewOfSection(>)  20 


NtWriteFile(>)  1 
NtGdiGetStockObject(>)  5 
NtQuerySystemInformation(>)  22 


NtAddAtom(>)  2 



Trace:

 00001   428   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   428   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   428   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   428   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   428   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   428   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   428   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   428   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   428   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   428   NtClose  (12, ... ) == 0x0
 00014   428   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   428   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   428   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   428   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   428   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   428   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   428   NtClose  (16, ... ) == 0x0
 00021   428   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   428   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   428   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   428   NtClose  (16, ... ) == 0x0
 00026   428   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   428   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   428   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   428   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   428   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 420, 428, 1475, 0} "0\234\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 420, 428, 1475, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 420, 428, 1475, 0} "0\234\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   428   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   428   NtClose  (16, ... ) == 0x0
 00036   428   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00037   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00038   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00039   428   NtClose  (28, ... ) == 0x0
 00040   428   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00041   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00042   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00043   428   NtClose  (28, ... ) == 0x0
 00044   428   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00045   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00046   428   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00047   428   NtClose  (28, ... ) == 0x0
 00048   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00049   428   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00050   428   NtClose  (28, ... ) == 0x0
 00051   428   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00052   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00053   428   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 420, 428, 1477, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 420, 428, 1477, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 420, 428, 1477, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00055   428   NtProtectVirtualMemory  (-1, (0x42f000), 4096, 4, ... (0x42f000), 4096, 8, ) == 0x0
 00056   428   NtProtectVirtualMemory  (-1, (0x42f000), 4096, 8, ... (0x42f000), 4096, 4, ) == 0x0
 00057   428   NtFlushInstructionCache  (-1, 4386816, 4096, ... ) == 0x0
 00058   428   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00059   428   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00060   428   NtClose  (28, ... ) == 0x0
 00061   428   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00062   428   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00063   428   NtClose  (28, ... ) == 0x0
 00064   428   NtTestAlert  (... ) == 0x0
 00065   428   NtContinue  (1244464, 1, ...
 00066   428   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00067   428   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4390912, 1048576, ) == 0x0
 00068   428   NtAllocateVirtualMemory  (-1, 5419008, 0, 20480, 4096, 4, ... 5419008, 20480, ) == 0x0
 00069   428   NtProtectVirtualMemory  (-1, (0x52b000), 4096, 260, ... (0x52b000), 4096, 4, ) == 0x0
 00070   428   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 28, {420, 520}, ) == 0x0
 00071   428   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=420,Tid=520,}, 0x0, ) == 0x0
 00072   428   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\244\1\0\0\10\2\0\0" ... {28, 56, reply, 0, 420, 428, 1479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\244\1\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 420, 428, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\244\1\0\0\10\2\0\0" ... {28, 56, reply, 0, 420, 428, 1479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\244\1\0\0\10\2\0\0" )  ) == 0x0
 00073   428   NtResumeThread  (28, ... 1, ) == 0x0
 00074   428   NtClose  (28, ... ) == 0x0
 00075   428   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00076   520   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00077   520   NtTestAlert  (... ) == 0x0
 00078   520   NtContinue  (5438768, 1, ...
 00079   520   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00080   520   NtOpenFile  (0x110080, {24, 12, 0x40, 0, 0, "}, 7, 2113568, ...
 00081   428   NtTerminateThread  (0, 0, ...
 00082   428   NtFreeVirtualMemory  (-1, (0x30000), 0, 32768, ... (0x30000), 1048576, ) == 0x0
 00080   520   NtOpenFile  ... ) == STATUS_OBJECT_NAME_INVALID
 00083   520   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00084   520   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 28, {status=0x0, info=1}, ) }, 7, 2113568, ... 28, {status=0x0, info=1}, ) == 0x0
 00085   520   NtQueryInformationFile  (28, 5438636, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00086   520   NtSetInformationFile  (28, 1324360, 114, Rename, ... ) == STATUS_NOT_SAME_DEVICE
 00087   520   NtClose  (28, ... ) == 0x0
 00088   520   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00089   520   NtAllocateVirtualMemory  (-1, 1224704, 0, 20480, 4096, 4, ... 1224704, 20480, ) == 0x0
 00090   520   NtProtectVirtualMemory  (-1, (0x12b000), 4096, 260, ... (0x12b000), 4096, 4, ) == 0x0
 00091   520   NtCreateThread  (0x1f03ff, 0x0, -1, 5438540, 5439256, 1, ... 28, {420, 548}, ) == 0x0
 00092   520   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=420,Tid=548,}, 0x0, ) == 0x0
 00093   520   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\3105\24\0\0\0\0\0\34\0\0\0\244\1\0\0$\2\0\0" ... {28, 56, reply, 0, 420, 520, 1482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\244\1\0\0$\2\0\0" )  ... {28, 56, reply, 0, 420, 520, 1482, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\3105\24\0\0\0\0\0\34\0\0\0\244\1\0\0$\2\0\0" ... {28, 56, reply, 0, 420, 520, 1482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\244\1\0\0$\2\0\0" )  ) == 0x0
 00094   520   NtResumeThread  (28, ... 1, ) == 0x0
 00095   520   NtClose  (28, ... ) == 0x0
 00096   520   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... }, ...
 00097   548   NtTestAlert  (... ) == 0x0
 00098   548   NtContinue  (1244464, 1, ...
 00099   548   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00100   548   NtOpenFile  (0x110080, {24, 12, 0x40, 0, 0, "}, 7, 2113568, ...
 00096   520   NtOpenKey  ... 28, ) == 0x0
 00101   520   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   520   NtClose  (28, ... ) == 0x0
 00103   520   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00104   520   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00105   520   NtClose  (28, ... ) == 0x0
 00106   520   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00107   520   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00108   520   NtClose  (28, ... ) == 0x0
 00109   520   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00110   520   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00111   520   NtClose  (28, ... ) == 0x0
 00112   520   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... }, ...
 00100   548   NtOpenFile  ... ) == STATUS_OBJECT_NAME_INVALID
 00113   548   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00114   548   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 28, ) == 0x0
 00115   548   NtWaitForSingleObject  (28, 0, 0x0, ...
 00112   520   NtOpenSection  ... 32, ) == 0x0
 00116   520   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00117   520   NtClose  (32, ... ) == 0x0
 00118   520   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00119   520   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00120   520   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00121   520   NtClose  (32, ... ) == 0x0
 00122   520   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00123   520   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   520   NtClose  (32, ... ) == 0x0
 00125   520   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00126   520   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00127   520   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   520   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00129   520   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00130   520   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147343352, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 420, 520, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 420, 520, 1484, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 1246412, 0} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 420, 520, 1484, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00131   520   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   520   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x530000), 0x0, 1060864, ) == 0x0
 00133   520   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00134   520   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00135   520   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00136   520   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00137   520   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00138   520   NtClose  (-2147482208, ... ) == 0x0
 00139   520   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00140   520   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00141   520   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00142   520   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00143   520   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   520   NtClose  (-2147482208, ... ) == 0x0
 00145   520   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00146   520   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   520   NtClose  (-2147482208, ... ) == 0x0
 00148   520   NtQueryDefaultLocale  (0, -130774516, ... ) == 0x0
 00149   520   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00150   520   NtUserCallNoParam  (24, ... ) == 0x0
 00151   520   NtGdiCreateCompatibleDC  (0, ...
 00152   520   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00151   520   NtGdiCreateCompatibleDC  ... ) == 0x160103c6
 00153   520   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00154   520   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00155   520   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x38050408
 00156   520   NtGdiCreateSolidBrush  (0, 0, ...
 00157   520   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9699328, 4096, ) == 0x0
 00156   520   NtGdiCreateSolidBrush  ... ) == 0x19100404
 00158   520   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00159   520   NtGdiCreateCompatibleDC  (0, ... ) == 0x1d010403
 00160   520   NtGdiSelectBitmap  (486605827, 939852808, ... ) == 0x185000f
 00161   520   NtUserGetThreadDesktop  (520, 0, ... ) == 0x30
 00162   520   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00163   520   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00164   520   NtClose  (56, ... ) == 0x0
 00165   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00166   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 673, 128, 0, ... ) == 0x810dc017
 00167   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00168   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 674, 128, 0, ... ) == 0x810dc01c
 00169   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00170   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 675, 128, 0, ... ) == 0x810dc01e
 00171   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00172   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 676, 128, 0, ... ) == 0x810d8002
 00173   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10013
 00174   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 677, 128, 0, ... ) == 0x810dc018
 00175   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00176   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 678, 128, 0, ... ) == 0x810dc01a
 00177   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00178   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 679, 128, 0, ... ) == 0x810dc01d
 00179   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00180   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 681, 128, 0, ...
 00181   520   NtAllocateVirtualMemory  (-1, 6647808, 0, 4096, 4096, 32, ... 6647808, 4096, ) == 0x0
 00180   520   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00182   520   NtUserFindExistingCursorIcon  (5435156, 5435172, 5435740, ... ) == 0x10011
 00183   520   NtUserRegisterClassExWOW  (5435676, 5435756, 5435740, 5435772, 680, 128, 0, ... ) == 0x810dc019
 00184   520   NtUserRegisterClassExWOW  (5435628, 5435708, 5435692, 5435724, 0, 128, 0, ... ) == 0x810dc020
 00185   520   NtUserRegisterClassExWOW  (5435628, 5435704, 5435720, 5435692, 0, 130, 0, ... ) == 0x810dc022
 00186   520   NtUserRegisterClassExWOW  (5435628, 5435708, 5435692, 5435724, 0, 128, 0, ... ) == 0x810dc023
 00187   520   NtUserRegisterClassExWOW  (5435628, 5435704, 5435720, 5435692, 0, 130, 0, ... ) == 0x810dc024
 00188   520   NtUserRegisterClassExWOW  (5435628, 5435708, 5435692, 5435724, 0, 128, 0, ... ) == 0x810dc025
 00189   520   NtCallbackReturn  (0, 0, 0, ...
 00190   520   NtGdiInit  (... ) == 0x1
 00191   520   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00192   520   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00193   520   NtSetEventBoostPriority  (28, ...
 00115   548   NtWaitForSingleObject  ... ) == 0x0
 00194   548   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... }, 7, 2113568, ...
 00193   520   NtSetEventBoostPriority  ... ) == 0x0
 00195   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00196   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00197   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00198   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00199   520   NtDelayExecution  (0, {-100000, -1}, ...
 00194   548   NtOpenFile  ... 56, {status=0x0, info=1}, ) == 0x0
 00200   548   NtQueryInformationFile  (56, 1244332, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00201   548   NtSetInformationFile  (56, 1324360, 114, Rename, ... ) == STATUS_NOT_SAME_DEVICE
 00202   548   NtClose  (56, ... ) == 0x0
 00203   548   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9764864, 1048576, ) == 0x0
 00204   548   NtAllocateVirtualMemory  (-1, 10792960, 0, 20480, 4096, 4, ... 10792960, 20480, ) == 0x0
 00205   548   NtProtectVirtualMemory  (-1, (0xa4b000), 4096, 260, ... (0xa4b000), 4096, 4, ) == 0x0
 00206   548   NtCreateThread  (0x1f03ff, 0x0, -1, 1244236, 1244952, 1, ... 56, {420, 560}, ) == 0x0
 00207   548   NtQueryInformationThread  (56, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=420,Tid=560,}, 0x0, ) == 0x0
 00208   548   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\0\0\0\244\1\0\00\2\0\0" ... {28, 56, reply, 0, 420, 548, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\0\0\0\244\1\0\00\2\0\0" )  ... {28, 56, reply, 0, 420, 548, 1492, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\0\0\0\244\1\0\00\2\0\0" ... {28, 56, reply, 0, 420, 548, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\0\0\0\244\1\0\00\2\0\0" )  ) == 0x0
 00209   548   NtResumeThread  (56, ... 1, ) == 0x0
 00210   548   NtClose  (56, ... ) == 0x0
 00211   548   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00212   560   NtTestAlert  (... ) == 0x0
 00213   560   NtContinue  (10812720, 1, ...
 00214   560   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00215   560   NtOpenFile  (0x110080, {24, 12, 0x40, 0, 0, "}, 7, 2113568, ...
 00211   548   NtCreateEvent  ... 56, ) == 0x0
 00216   548   NtCallbackReturn  (0, 0, 0, ...
 00217   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... ) , 0, ... ) == 0x0
 00218   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... ) , 0, ... ) == 0x0
 00219   548   NtDelayExecution  (0, {-100000, -1}, ...
 00215   560   NtOpenFile  ... ) == STATUS_OBJECT_NAME_INVALID
 00220   560   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00221   560   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 60, {status=0x0, info=1}, ) }, 7, 2113568, ... 60, {status=0x0, info=1}, ) == 0x0
 00222   560   NtQueryInformationFile  (60, 10812588, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00223   560   NtSetInformationFile  (60, 1324360, 114, Rename, ... ) == STATUS_NOT_SAME_DEVICE
 00224   560   NtClose  (60, ... ) == 0x0
 00225   560   NtContinue  (10812644, 0, ...
 00226   560   NtAllocateVirtualMemory  (-1, 0, 0, 5732, 4096, 64, ... 10813440, 8192, ) == 0x0
 00227   560   NtAllocateVirtualMemory  (-1, 0, 0, 159804, 4096, 64, ... 10878976, 163840, ) == 0x0
 00228   560   NtAllocateVirtualMemory  (-1, 0, 0, 78688, 4096, 4, ... 11075584, 81920, ) == 0x0
 00199   520   NtDelayExecution  ... ) == 0x0
 00219   548   NtDelayExecution  ... ) == 0x0
 00229   560   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ...
 00230   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... , 0, ...
 00229   560   NtFreeVirtualMemory  ... (0xa90000), 81920, ) == 0x0
 00230   548   NtUserFindWindowEx  ... ) == 0x0
 00231   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... }, ...
 00232   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... , 0, ...
 00231   560   NtOpenSection  ... 60, ) == 0x0
 00233   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... , 0x0, 0, ...
 00234   560   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00233   520   NtUserFindWindowEx  ... ) == 0x0
 00234   560   NtMapViewOfSection  ... (0x77120000), 0x0, 569344, ) == 0x0
 00235   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... , 0x0, 0, ...
 00232   548   NtUserFindWindowEx  ... ) == 0x0
 00235   520   NtUserFindWindowEx  ... ) == 0x0
 00236   548   NtDelayExecution  (0, {-100000, -1}, ...
 00237   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00238   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00239   520   NtDelayExecution  (0, {-100000, -1}, ...
 00240   560   NtClose  (60, ... ) == 0x0
 00241   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 60, ) }, ... 60, ) == 0x0
 00242   560   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00243   560   NtClose  (60, ... ) == 0x0
 00244   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 60, ) }, ... 60, ) == 0x0
 00245   560   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00246   560   NtClose  (60, ... ) == 0x0
 00247   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00248   560   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11075584, 65536, ) == 0x0
 00249   560   NtAllocateVirtualMemory  (-1, 11075584, 0, 4096, 4096, 4, ... 11075584, 4096, ) == 0x0
 00250   560   NtAllocateVirtualMemory  (-1, 11079680, 0, 8192, 4096, 4, ... 11079680, 8192, ) == 0x0
 00251   560   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 60, ) }, ... 60, ) == 0x0
 00252   560   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xaa0000), 0x0, 12288, ) == 0x0
 00253   560   NtClose  (60, ... ) == 0x0
 00254   560   NtAllocateVirtualMemory  (-1, 11087872, 0, 4096, 4096, 4, ... 11087872, 4096, ) == 0x0
 00255   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00256   560   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00257   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00258   560   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00259   560   NtClose  (60, ... ) == 0x0
 00260   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00261   560   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00262   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00263   560   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00264   560   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00265   560   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   560   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   560   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   560   NtClose  (60, ... ) == 0x0
 00269   560   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00270   560   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   560   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   560   NtClose  (60, ... ) == 0x0
 00273   560   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 60, ) }, ... 60, ) == 0x0
 00274   560   NtOpenEvent  (0x1f0003, {24, 60, 0x0, 0, 0,  (0x1f0003, {24, 60, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 64, ) == 0x0
 00276   560   NtCallbackReturn  (0, 0, 0, ...
 00277   560   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00278   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   560   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 10811180, ... ) }, 10811180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   560   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 10811180, ... ) }, 10811180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 10811180, ... ) }, 10811180, ... ) == 0x0
 00285   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00287   560   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00288   560   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00289   560   NtQueryInformationToken  (76, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00290   560   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   560   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 80, ) }, ... 80, ) == 0x0
 00292   560   NtQueryValueKey  (80,  (80, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (80, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00293   560   NtClose  (80, ... ) == 0x0
 00294   560   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00295   560   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00296   560   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00297   560   NtClose  (80, ... ) == 0x0
 00298   560   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   560   NtClose  (76, ... ) == 0x0
 00300   560   NtClose  (68, ... ) == 0x0
 00301   560   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00302   560   NtClose  (72, ... ) == 0x0
 00303   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 10810376, ... ) }, 10810376, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   560   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 10810376, ... ) }, 10810376, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 10810376, ... ) }, 10810376, ... ) == 0x0
 00307   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00308   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 68, ) == 0x0
 00309   560   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00310   560   NtClose  (72, ... ) == 0x0
 00311   560   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00312   560   NtClose  (68, ... ) == 0x0
 00313   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 10809572, ... ) }, 10809572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   560   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 10809572, ... ) }, 10809572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 10809572, ... ) }, 10809572, ... ) == 0x0
 00317   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00318   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00319   560   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00320   560   NtClose  (68, ... ) == 0x0
 00321   560   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00322   560   NtClose  (72, ... ) == 0x0
 00323   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00324   560   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00325   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00326   560   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00327   560   NtClose  (72, ... ) == 0x0
 00328   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00329   560   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00330   560   NtClose  (72, ... ) == 0x0
 00331   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00332   560   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00333   560   NtClose  (72, ... ) == 0x0
 00334   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00335   560   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00336   560   NtClose  (72, ... ) == 0x0
 00337   560   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   560   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00340   560   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00341   560   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00342   560   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00343   560   NtCreateEvent  (0x1f0003, {24, 60, 0x80, 10811312, 0,  (0x1f0003, {24, 60, 0x80, 10811312, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... }, 0, 0, ...
 00236   548   NtDelayExecution  ... ) == 0x0
 00344   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... ) , 0, ... ) == 0x0
 00239   520   NtDelayExecution  ... ) == 0x0
 00343   560   NtCreateEvent  ... ) == STATUS_ACCESS_DENIED
 00345   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... , 0x0, 0, ...
 00346   560   NtOpenEvent  (0x100000, {24, 60, 0x0, 0, 0,  (0x100000, {24, 60, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... }, ...
 00347   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... , 0, ...
 00346   560   NtOpenEvent  ... 72, ) == 0x0
 00347   548   NtUserFindWindowEx  ... ) == 0x0
 00348   560   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ...
 00349   548   NtDelayExecution  (0, {-100000, -1}, ...
 00348   560   NtAllocateVirtualMemory  ... 1347584, 8192, ) == 0x0
 00350   560   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00351   560   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00352   560   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00353   560   NtClose  (68, ...
 00345   520   NtUserFindWindowEx  ... ) == 0x0
 00354   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00355   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00356   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00357   520   NtDelayExecution  (0, {-100000, -1}, ...
 00353   560   NtClose  ... ) == 0x0
 00358   560   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00359   560   NtSetInformationObject  (68, Handle, {Inherit=0,ProtectFromClose=1,}, 10748160, ... ) == 0x0
 00360   560   NtCreateKey  (0xf003f, {24, 68, 0x40, 0, 0,  (0xf003f, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00361   560   NtQueryDefaultUILanguage  (10809548, ...
 00362   560   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00363   560   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482204, ) == 0x0
 00364   560   NtQueryInformationToken  (-2147482204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00365   560   NtClose  (-2147482204, ... ) == 0x0
 00366   560   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00367   560   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368   560   NtOpenKey  (0x80000000, {24, -2147482204, 0x640, 0, 0,  (0x80000000, {24, -2147482204, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482200, ) }, ... -2147482200, ) == 0x0
 00369   560   NtQueryValueKey  (-2147482200,  (-2147482200, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   560   NtClose  (-2147482200, ... ) == 0x0
 00371   560   NtClose  (-2147482204, ... ) == 0x0
 00361   560   NtQueryDefaultUILanguage  ... ) == 0x0
 00372   560   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   560   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00374   560   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00375   560   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 84, ) == 0x0
 00376   560   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xab0000), 0x0, 593920, ) == 0x0
 00377   560   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   560   NtQueryDefaultUILanguage  (2013024600, ...
 00379   560   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00380   560   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00381   560   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00382   560   NtClose  (-2147482208, ... ) == 0x0
 00383   560   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00384   560   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   560   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00386   560   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387   560   NtClose  (-2147482196, ... ) == 0x0
 00388   560   NtClose  (-2147482208, ... ) == 0x0
 00378   560   NtQueryDefaultUILanguage  ... ) == 0x0
 00389   560   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00390   560   NtQueryDefaultLocale  (1, 10807584, ... ) == 0x0
 00391   560   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00392   560   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 10808440, 1, 96, 0}  (24, {128, 156, new_msg, 0, 10808440, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\357\244\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1P\0\0\0\377\377\377\377\0\0\0\0P\275\262\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0x\363\244\0\0\0\0\0" ...  ...
 00349   548   NtDelayExecution  ... ) == 0x0
 00393   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... ) , 0, ... ) == 0x0
 00394   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... ) , 0, ... ) == 0x0
 00395   548   NtDelayExecution  (0, {-100000, -1}, ...
 00392   560   NtRequestWaitReplyPort  ... {128, 156, reply, 0, 420, 560, 1495, 0}  ... {128, 156, reply, 0, 420, 560, 1495, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\357\244\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1P\0\0\0\377\377\377\377\0\0\0\0P\275\262\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0x\363\244\0\0\0\0\0" )  ) == 0x0
 00357   520   NtDelayExecution  ... ) == 0x0
 00396   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00397   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00398   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00399   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00400   560   NtClose  (80, ... ) == 0x0
 00401   560   NtClose  (84, ... ) == 0x0
 00402   560   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 00403   560   NtUnmapViewOfSection  (-1, 0xa4f378, ... ) == STATUS_NOT_MAPPED_VIEW
 00404   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00405   560   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   520   NtDelayExecution  (0, {-100000, -1}, ...
 00407   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00408   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00409   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 10806124, ... ) }, 10806124, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00411   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00412   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00413   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 10806716, ... ) }, 10806716, ... ) == 0x0
 00414   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 84, {status=0x0, info=1}, ) }, 3, 33, ... 84, {status=0x0, info=1}, ) == 0x0
 00415   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00416   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00417   560   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 88, ) == 0x0
 00418   560   NtClose  (80, ... ) == 0x0
 00419   560   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb60000), 0x0, 921600, ) == 0x0
 00420   560   NtClose  (88, ... ) == 0x0
 00421   560   NtUnmapViewOfSection  (-1, 0xb60000, ... ) == 0x0
 00422   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00423   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 80, ) == 0x0
 00424   560   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00425   560   NtClose  (88, ... ) == 0x0
 00426   560   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00427   560   NtClose  (80, ... ) == 0x0
 00428   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00429   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00430   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00431   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00432   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00433   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00434   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00435   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00436   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00437   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00438   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00439   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00440   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00441   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00442   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00443   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00444   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00445   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00446   560   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00447   560   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00448   560   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00449   560   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 10807900, ... ) , 42, 10807900, ... ) == 0x0
 00450   560   NtQueryDefaultUILanguage  (10806616, ...
 00451   560   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00452   560   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00453   560   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00454   560   NtClose  (-2147482208, ... ) == 0x0
 00455   560   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00456   560   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457   560   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00458   560   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00459   560   NtClose  (-2147482196, ... ) == 0x0
 00460   560   NtClose  (-2147482208, ... ) == 0x0
 00450   560   NtQueryDefaultUILanguage  ... ) == 0x0
 00461   560   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 10805468, ... ) }, 10805468, ... ) == 0x0
 00463   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00464   560   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 88, ) == 0x0
 00465   560   NtClose  (80, ... ) == 0x0
 00466   560   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xab0000), 0x0, 4096, ) == 0x0
 00467   560   NtClose  (88, ... ) == 0x0
 00468   560   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 00469   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 10805108, ... ) }, 10805108, ... ) == 0x0
 00470   560   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 10805808,  (0x80100080, {24, 0, 0x40, 0, 10805808, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) == 0x0
 00471   560   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 88, ... 80, ) == 0x0
 00472   560   NtClose  (88, ... ) == 0x0
 00473   560   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xab0000), {0, 0}, 4096, ) == 0x0
 00474   560   NtClose  (80, ... ) == 0x0
 00475   560   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 00476   560   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00477   560   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00478   560   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xab0000), 0x0, 4096, ) == 0x0
 00479   560   NtQueryInformationFile  (80, 10805428, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00480   560   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   560   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 10805508, 1, 96, 0}  (24, {128, 156, new_msg, 0, 10805508, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\350\244\0\0\0\0\0" ... {128, 156, reply, 0, 420, 560, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\350\244\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 560, 1496, 0}  (24, {128, 156, new_msg, 0, 10805508, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\350\244\0\0\0\0\0" ... {128, 156, reply, 0, 420, 560, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\4\350\244\0\0\0\0\0" )  ) == 0x0
 00482   560   NtClose  (80, ... ) == 0x0
 00483   560   NtClose  (88, ... ) == 0x0
 00484   560   NtUnmapViewOfSection  (-1, 0xab0000, ... ) == 0x0
 00485   560   NtUnmapViewOfSection  (-1, 0xa4e804, ... ) == STATUS_NOT_MAPPED_VIEW
 00486   560   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00487   560   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00488   560   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00489   560   NtUserGetDC  (0, ... ) == 0x1010053
 00490   560   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00491   560   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00492   560   NtContinue  (10805464, 0, ...
 00493   560   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00494   560   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00495   560   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00496   560   NtUnmapViewOfSection  (-1, 0xb50000, ... ) == 0x0
 00497   560   NtClose  (84, ... ) == 0x0
 00498   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00499   560   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00500   560   NtClose  (84, ... ) == 0x0
 00501   560   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {420, 0}, ... 84, ) == 0x0
 00502   560   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00503   560   NtClose  (84, ... ) == 0x0
 00504   560   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00505   560   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00506   560   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00507   560   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 84, ) }, ... 84, ) == 0x0
 00508   560   NtQueryValueKey  (84,  (84, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00509   560   NtClose  (84, ... ) == 0x0
 00510   560   NtUserSystemParametersInfo  (41, 500, 10808032, 0, ... ) == 0x1
 00511   560   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00512   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00513   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00514   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc03b
 00515   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00516   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc03d
 00517   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00518   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00519   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc03f
 00520   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00521   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00522   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc041
 00523   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00524   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00525   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc043
 00526   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00527   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc045
 00528   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00529   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00530   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc047
 00531   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00532   560   NtUserFindExistingCursorIcon  (10807820, 10807836, 10808404, ... ) == 0x10011
 00533   560   NtUserRegisterClassExWOW  (10808272, 10808352, 10808336, 10808368, 0, 384, 0, ... ) == 0x810cc049
 00534   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00535   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00536   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc04b
 00537   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00538   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00539   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc04d
 00540   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00541   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00542   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc04f
 00543   560   NtUserGetClassInfo  (1999896576, 10808444, 10808396, 10808472, 0, ... ) == 0x0
 00544   560   NtUserRegisterClassExWOW  (10808280, 10808360, 10808344, 10808376, 0, 384, 0, ... ) == 0x810cc051
 00545   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00546   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00547   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc053
 00548   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00549   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00550   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc055
 00551   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc057
 00552   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00553   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00554   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc059
 00555   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00556   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10013
 00557   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc05b
 00558   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00559   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00560   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc05d
 00561   560   NtUserGetClassInfo  (1999896576, 10808440, 10808392, 10808468, 0, ... ) == 0x0
 00562   560   NtUserFindExistingCursorIcon  (10807824, 10807840, 10808408, ... ) == 0x10011
 00563   560   NtUserRegisterClassExWOW  (10808276, 10808356, 10808340, 10808372, 0, 384, 0, ... ) == 0x810cc05f
 00564   560   NtCreateKey  (0x2001f, {24, 68, 0x40, 0, 0,  (0x2001f, {24, 68, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 00565   560   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00566   560   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00567   560   NtFreeVirtualMemory  (-1, (0xa60000), 0, 32768, ... (0xa60000), 163840, ) == 0x0
 00568   560   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00569   560   NtOpenKey  (0xf0019, {24, 68, 0x40, 0, 0,  (0xf0019, {24, 68, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   560   NtOpenKey  (0xf0019, {24, 32, 0x40, 0, 0,  (0xf0019, {24, 32, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   560   NtOpenKey  (0xf0019, {24, 68, 0x40, 0, 0,  (0xf0019, {24, 68, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   560   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00573   560   NtQueryInformationToken  (88, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00574   560   NtClose  (88, ... ) == 0x0
 00575   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00576   560   NtReleaseMutant  (16, ...
 00577   560   NtContinue  (-104488824, 0, ...
 00576   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00578   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.ENU"}, 10810448, ... ) }, 10810448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.ENU"}, 10810088, ... }, 10810088, ...
 00406   520   NtDelayExecution  ... ) == 0x0
 00580   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00581   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00582   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00583   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00584   520   NtDelayExecution  (0, {-100000, -1}, ...
 00395   548   NtDelayExecution  ... ) == 0x0
 00585   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... ) , 0, ... ) == 0x0
 00586   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... ) , 0, ... ) == 0x0
 00587   548   NtDelayExecution  (0, {-100000, -1}, ...
 00579   560   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.ENU.DLL"}, 10810088, ... ) }, 10810088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.EN"}, 10810448, ... ) }, 10810448, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.EN"}, 10810088, ... ) }, 10810088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.EN.DLL"}, 10810088, ... ) }, 10810088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   560   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00593   560   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 11337728, 1048576, ) == 0x0
 00594   560   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00595   560   NtAllocateVirtualMemory  (-1, 11337728, 0, 16384, 4096, 4, ... 11337728, 16384, ) == 0x0
 00596   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00597   560   NtReleaseMutant  (16, ...
 00598   560   NtContinue  (-104488824, 0, ...
 00597   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00599   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00600   560   NtReleaseMutant  (16, ...
 00601   560   NtContinue  (-104488824, 0, ...
 00600   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00602   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00603   560   NtReleaseMutant  (16, ...
 00604   560   NtContinue  (-104488824, 0, ...
 00603   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00605   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00606   560   NtReleaseMutant  (16, ...
 00607   560   NtContinue  (-104488824, 0, ...
 00606   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00608   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00609   560   NtReleaseMutant  (16, ...
 00610   560   NtContinue  (-104488824, 0, ...
 00609   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00611   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00612   560   NtReleaseMutant  (16, ...
 00613   560   NtContinue  (-104488824, 0, ...
 00612   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00614   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00615   560   NtReleaseMutant  (16, ...
 00616   560   NtContinue  (-104488824, 0, ...
 00615   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00617   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00618   560   NtReleaseMutant  (16, ...
 00619   560   NtContinue  (-104488824, 0, ...
 00618   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00620   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00621   560   NtReleaseMutant  (16, ...
 00622   560   NtContinue  (-104488824, 0, ...
 00621   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00623   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00624   560   NtReleaseMutant  (16, ...
 00625   560   NtContinue  (-104488824, 0, ...
 00624   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00626   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00627   560   NtReleaseMutant  (16, ...
 00628   560   NtContinue  (-104488824, 0, ...
 00627   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00629   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00630   560   NtReleaseMutant  (16, ...
 00631   560   NtContinue  (-104488824, 0, ...
 00630   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00632   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00633   560   NtReleaseMutant  (16, ...
 00634   560   NtContinue  (-104488824, 0, ...
 00633   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00635   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00636   560   NtReleaseMutant  (16, ...
 00637   560   NtContinue  (-104488824, 0, ...
 00636   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00638   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00639   560   NtReleaseMutant  (16, ...
 00640   560   NtContinue  (-104488824, 0, ...
 00639   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00641   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00642   560   NtReleaseMutant  (16, ...
 00643   560   NtContinue  (-104488824, 0, ...
 00642   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00644   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00645   560   NtReleaseMutant  (16, ...
 00646   560   NtContinue  (-104488824, 0, ...
 00645   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00647   560   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00648   560   NtReleaseMutant  (16, ...
 00649   560   NtContinue  (-104488824, 0, ...
 00648   560   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00650   560   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00651   560   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00652   560   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00653   560   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00654   560   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 92, ) }, ... 92, ) == 0x0
 00655   560   NtQueryValueKey  (92,  (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00656   560   NtNotifyChangeKey  (92, 80, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00657   560   NtQueryValueKey  (92,  (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00658   560   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   560   NtQueryValueKey  (92,  (92, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00660   560   NtQueryValueKey  (92,  (92, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661   560   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Catalog_Entries"}, ... 96, ) }, ... 96, ) == 0x0
 00662   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000001"}, ... 100, ) }, ... 100, ) == 0x0
 00663   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00664   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00665   560   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00666   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\233\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\233\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\234\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\233\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\233\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\234\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\233\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\233\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\234\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00667   560   NtClose  (100, ... ) == 0x0
 00668   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000002"}, ... 100, ) }, ... 100, ) == 0x0
 00669   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00670   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00671   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\240\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\240\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\241\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\240\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\240\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\241\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\240\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\240\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\241\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00672   560   NtClose  (100, ... ) == 0x0
 00673   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000003"}, ... 100, ) }, ... 100, ) == 0x0
 00674   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00675   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00676   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\245\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\246\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\245\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\246\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\245\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\246\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00677   560   NtClose  (100, ... ) == 0x0
 00678   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000004"}, ... 100, ) }, ... 100, ) == 0x0
 00679   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00680   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00681   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\252\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\252\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\253\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\252\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\252\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\253\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\252\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\252\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\253\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\253\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\254\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\255\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00682   560   NtClose  (100, ... ) == 0x0
 00683   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000005"}, ... 100, ) }, ... 100, ) == 0x0
 00684   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00685   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00686   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\257\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\257\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\260\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\257\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\257\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\260\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\257\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\257\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\260\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\261\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\262\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00687   560   NtClose  (100, ... ) == 0x0
 00688   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000006"}, ... 100, ) }, ... 100, ) == 0x0
 00689   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00690   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00691   560   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00692   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\265\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\265\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\266\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\265\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\265\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\266\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\265\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\265\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\266\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00693   560   NtClose  (100, ... ) == 0x0
 00694   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000007"}, ... 100, ) }, ... 100, ) == 0x0
 00695   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00696   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00697   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\272\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\272\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\273\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\272\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\272\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\273\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\272\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\272\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\273\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00698   560   NtClose  (100, ... ) == 0x0
 00699   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000008"}, ... 100, ) }, ... 100, ) == 0x0
 00700   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00701   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00702   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\277\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\277\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\300\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\277\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\277\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\300\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\277\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\277\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\300\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\300\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\301\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\302\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00703   560   NtClose  (100, ... ) == 0x0
 00704   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000009"}, ... 100, ) }, ... 100, ) == 0x0
 00705   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00706   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00707   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\304\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\304\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\305\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\304\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\304\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\305\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\304\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\304\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\305\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\306\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\307\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00708   560   NtClose  (100, ... ) == 0x0
 00709   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000010"}, ... 100, ) }, ... 100, ) == 0x0
 00710   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00711   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00712   560   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 00713   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\312\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\312\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\313\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\312\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\312\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\313\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0 (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\312\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\312\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0`\0\0\0 \376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\247\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\313\2\0\0\244\1\0\00\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\2\0\0\244\1\0\00\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\244\1\0\00\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0d\0\0\0\0\0\0\0"\0\12\2\0\314\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00714   560   NtClose  (100, ... ) == 0x0
 00715   560   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "000000000011"}, ... 100, ) }, ... 100, ) == 0x0
 00716   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00717   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00718   560   NtQueryValueKey  (100,  (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\317\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\317\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\320\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\2\0\0\244\1\0\00\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\321\2\0\0\244\1\0\00\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\322\2\0\0\244\1\0\00\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\322\2\0\0\244\1\0\00\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\323\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0<\376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 \242\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (100, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\317\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0\317\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\244\1\0\00\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\320\2\0\0\244\1\0\00\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\2\0\0\244\1\0\00\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\321\2\0\0\244\1\0\00\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\322\2\0\0\244\1\0\00\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\322\2\0\0\244\1\0\00\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\323\2\0\0\244\1\0\00\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0<\376\244\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0 \242\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00719   560   NtClose  (100, ... ) == 0x0
 00720   560   NtClose  (96, ... ) == 0x0
 00721   560   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 00722   560   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00723   560   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 100, ) }, ... 100, ) == 0x0
 00724   560   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00725   560   NtNotifyChangeKey  (100, 96, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00726   560   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00727   560   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   560   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00729   560   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 00730   560   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 00731   560   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00732   560   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00733   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00734   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00735   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00736   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00737   560   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00738   560   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   560   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00740   560   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00741   560   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00742   560   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00743   560   NtClose  (108, ... ) == 0x0
 00744   560   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 00745   560   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00746   560   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00747   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00748   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00749   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00750   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00751   560   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00752   560   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   560   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00754   560   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00755   560   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00756   560   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00757   560   NtClose  (108, ... ) == 0x0
 00758   560   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 00759   560   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00760   560   NtQueryValueKey  (108,  (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00761   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00762   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00763   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00764   560   NtQueryValueKey  (108,  (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00765   560   NtQueryValueKey  (108,  (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (108, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00766   560   NtQueryValueKey  (108,  (108, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   560   NtQueryValueKey  (108,  (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00768   560   NtQueryValueKey  (108,  (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00769   560   NtQueryValueKey  (108,  (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00770   560   NtQueryValueKey  (108,  (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00771   560   NtClose  (108, ... ) == 0x0
 00772   560   NtClose  (104, ... ) == 0x0
 00773   560   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00774   560   NtClose  (88, ... ) == 0x0
 00775   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00776   560   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00777   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00778   560   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   560   NtClose  (88, ... ) == 0x0
 00780   560   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00781   560   NtCreateEvent  (0x1f0003, {24, 60, 0x80, 0, 0, ""}, 0, 0, ... 104, ) == 0x0
 00782   560   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 108, ) == 0x0
 00783   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00784   560   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 10812092,  (0x80100080, {24, 0, 0x40, 0, 10812092, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00785   560   NtQueryInformationFile  (116, 10813028, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00786   560   NtQueryInformationFile  (116, 10813000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00787   560   NtQueryInformationFile  (116, 10812952, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00788   560   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 00789   560   NtQueryInformationFile  (116, 1375656, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00790   560   NtQueryInformationFile  (116, 10811496, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00791   560   NtQueryInformationFile  (116, 10811340, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00792   560   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 10811348,  (0x40110080, {24, 0, 0x40, 0, 10811348, "\??\C:\WINDOWS\msreport32.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00793   560   NtClose  (-2147482208, ... ) == 0x0
 00792   560   NtCreateFile  ... 120, {status=0x0, info=2}, ) == 0x0
 00794   560   NtQueryVolumeInformationFile  (120, 10810720, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00795   560   NtQueryInformationFile  (120, 10810680, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00796   560   NtQueryVolumeInformationFile  (116, 10810720, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00797   560   NtSetInformationFile  (120, 10810508, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00798   560   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 116, ... 124, ) == 0x0
 00799   560   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa60000), {0, 0}, 49152, ) == 0x0
 00800   560   NtClose  (124, ... ) == 0x0
 00584   520   NtDelayExecution  ... ) == 0x0
 00802   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00803   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00587   548   NtDelayExecution  ... ) == 0x0
 00804   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... ) , 0, ... ) == 0x0
 00805   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... ) , 0, ... ) == 0x0
 00806   548   NtDelayExecution  (0, {-100000, -1}, ...
 00807   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00808   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00809   520   NtDelayExecution  (0, {-100000, -1}, ...
 00801   560   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\31^B*\0\0\0\0\0\0\0\0\340\0\216\201\13\1\2\31\0<\2\0\0D\0\0\0\0\0\0\0\20\0\0\0\20\0\0\0P\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\3\0\0\4\0\0\250\220\1\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\21\360\2\0(\0\0\0\0\340\2\0 \2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\357\2\0,\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 46809, 0x0, 0, ... {status=0x0, info=46809}, ) , 46809, 0x0, 0, ... {status=0x0, info=46809}, ) == 0x0
 00810   560   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 00811   560   NtSetInformationFile  (120, 10812952, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00812   560   NtClose  (116, ... ) == 0x0
 00813   560   NtClose  (120, ... ) == 0x0
 00814   560   NtCreateKey  (0xf003f, {24, 68, 0x40, 0, 0,  (0xf003f, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00815   560   NtSetValueKey  (120,  (120, "MS Reporter(dont disable)", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0m\0s\0r\0e\0p\0o\0r\0t\03\02\0.\0e\0x\0e\0\0\0", 52, ... , 0, 1,  (120, "MS Reporter(dont disable)", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0m\0s\0r\0e\0p\0o\0r\0t\03\02\0.\0e\0x\0e\0\0\0", 52, ... , 52, ...
 00816   560   NtSetInformationFile  (-2147482732, -104487116, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00817   560   NtSetInformationFile  (-2147482732, -104487152, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00818   560   NtSetInformationFile  (-2147482732, -104487208, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00819   560   NtSetInformationFile  (-2147482732, -104487516, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00820   560   NtSetInformationFile  (-2147482732, -104487564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00815   560   NtSetValueKey  ... ) == 0x0
 00821   560   NtClose  (120, ... ) == 0x0
 00822   560   NtQueryPerformanceCounter  (... {95639849, 0}, {3579545, 0}, ) == 0x0
 00823   560   NtQueryPerformanceCounter  (... {95639883, 0}, {3579545, 0}, ) == 0x0
 00824   560   NtQueryPerformanceCounter  (... {95639905, 0}, {3579545, 0}, ) == 0x0
 00825   560   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 00826   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 10809520, ... ) }, 10809520, ... ) == 0x0
 00827   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00828   560   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 116, ) == 0x0
 00829   560   NtClose  (120, ... ) == 0x0
 00830   560   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbd0000), 0x0, 229376, ) == 0x0
 00831   560   NtClose  (116, ... ) == 0x0
 00832   560   NtUnmapViewOfSection  (-1, 0xbd0000, ... ) == 0x0
 00833   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 10809836, ... ) }, 10809836, ... ) == 0x0
 00834   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00835   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 120, ) == 0x0
 00836   560   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00837   560   NtClose  (116, ... ) == 0x0
 00838   560   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 00839   560   NtClose  (120, ... ) == 0x0
 00840   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00841   560   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00842   560   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00843   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 10809636, ... ) }, 10809636, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   560   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 10809636, ... ) }, 10809636, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 10809636, ... ) }, 10809636, ... ) == 0x0
 00847   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00848   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 124, ) == 0x0
 00849   560   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00850   560   NtClose  (116, ... ) == 0x0
 00851   560   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 00852   560   NtClose  (124, ... ) == 0x0
 00853   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 124, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 124, 2, ) , 0, ... 124, 2, ) == 0x0
 00854   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 116, ) }, ... 116, ) == 0x0
 00855   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   560   NtQueryValueKey  (116,  (116, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   560   NtQueryValueKey  (124,  (124, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   560   NtQueryValueKey  (116,  (116, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   560   NtQueryValueKey  (124,  (124, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00861   560   NtQueryValueKey  (116,  (116, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   560   NtQueryValueKey  (124,  (124, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   560   NtQueryValueKey  (116,  (116, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   560   NtQueryValueKey  (124,  (124, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   560   NtQueryValueKey  (116,  (116, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   560   NtQueryValueKey  (116,  (116, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   560   NtQueryValueKey  (116,  (116, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   560   NtQueryValueKey  (116,  (116, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   560   NtQueryValueKey  (116,  (116, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   560   NtQueryValueKey  (116,  (116, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   560   NtQueryValueKey  (116,  (116, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   560   NtQueryValueKey  (124,  (124, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   560   NtQueryValueKey  (116,  (116, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   560   NtQueryValueKey  (116,  (116, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   560   NtQueryValueKey  (124,  (124, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   560   NtQueryValueKey  (116,  (116, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   560   NtQueryValueKey  (124,  (124, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00878   560   NtQueryValueKey  (116,  (116, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   560   NtQueryValueKey  (124,  (124, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   560   NtQueryValueKey  (116,  (116, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   560   NtQueryValueKey  (124,  (124, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   560   NtQueryValueKey  (116,  (116, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   560   NtQueryValueKey  (124,  (124, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   560   NtQueryValueKey  (116,  (116, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   560   NtQueryValueKey  (124,  (124, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   560   NtQueryValueKey  (116,  (116, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   560   NtQueryValueKey  (124,  (124, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   560   NtQueryValueKey  (116,  (116, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   560   NtQueryValueKey  (124,  (124, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   560   NtQueryValueKey  (116,  (116, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   560   NtQueryValueKey  (116,  (116, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   560   NtQueryValueKey  (116,  (116, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   560   NtQueryValueKey  (116,  (116, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   560   NtQueryValueKey  (116,  (116, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   560   NtQueryValueKey  (116,  (116, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   560   NtQueryValueKey  (116,  (116, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   560   NtQueryValueKey  (116,  (116, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   560   NtQueryValueKey  (116,  (116, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   560   NtQueryValueKey  (116,  (116, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   560   NtQueryValueKey  (116,  (116, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   560   NtQueryValueKey  (116,  (116, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   560   NtQueryValueKey  (116,  (116, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 128, ) }, ... 128, ) == 0x0
 00904   560   NtQueryValueKey  (128,  (128, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00905   560   NtClose  (128, ... ) == 0x0
 00906   560   NtClose  (124, ... ) == 0x0
 00907   560   NtClose  (116, ... ) == 0x0
 00908   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 116, ) }, ... 116, ) == 0x0
 00909   560   NtQueryValueKey  (116,  (116, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   560   NtQueryValueKey  (116,  (116, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   560   NtQueryValueKey  (116,  (116, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   560   NtClose  (116, ... ) == 0x0
 00913   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00914   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00916   560   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   560   NtClose  (116, ... ) == 0x0
 00918   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00920   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00921   560   NtQuerySystemTime  (... {-382216502, 29868086}, ) == 0x0
 00922   560   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 00923   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   560   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00925   560   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00926   560   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00927   560   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 00928   560   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00929   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00930   560   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10810112, 112, ... 144, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10810112, 112, ... 144, 0x0, 0x0, 0x0, 112, ) == 0x0
 00931   560   NtRequestWaitReplyPort  (144, {128, 152, new_msg, 0, 127188, 1310720, 10809876, 2012750850}  (144, {128, 152, new_msg, 0, 127188, 1310720, 10809876, 2012750850} "\0\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0p\23\25\0\270\24\25\0(\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0;\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1498, 0} "\7\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0p\23\25\0\270\24\25\0(\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0;\1\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 420, 560, 1498, 0}  (144, {128, 152, new_msg, 0, 127188, 1310720, 10809876, 2012750850} "\0\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0p\23\25\0\270\24\25\0(\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0;\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1498, 0} "\7\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0p\23\25\0\270\24\25\0(\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0;\1\0\0\5\0\0\0" )  ) == 0x0
 00932   560   NtRequestWaitReplyPort  (144, {64, 88, new_msg, 0, 0, 0, 0, 0}  (144, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 420, 560, 1499, 0} "\2\240\372\177\1\00\300\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 420, 560, 1499, 0}  (144, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 420, 560, 1499, 0} "\2\240\372\177\1\00\300\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 00933   560   NtClose  (140, ... ) == 0x0
 00934   560   NtClose  (144, ... ) == 0x0
 00935   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) , 0, ... 144, 2, ) == 0x0
 00936   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 140, ) }, ... 140, ) == 0x0
 00937   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   560   NtQueryValueKey  (144,  (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 00939   560   NtQueryValueKey  (144,  (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 00940   560   NtClose  (144, ... ) == 0x0
 00941   560   NtClose  (140, ... ) == 0x0
 00942   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00943   560   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10809976, 112, ... 144, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10809976, 112, ... 144, 0x0, 0x0, 0x0, 112, ) == 0x0
 00944   560   NtRequestWaitReplyPort  (144, {128, 152, new_msg, 0, 127052, 1310720, 10809740, 2012750850}  (144, {128, 152, new_msg, 0, 127052, 1310720, 10809740, 2012750850} "\0\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\23\25\0\300\24\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\244\0x\363\244\0x\1\24\0\300\27\25\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1502, 0} "\7\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\23\25\0\300\24\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\244\0x\363\244\0x\1\24\0\300\27\25\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 420, 560, 1502, 0}  (144, {128, 152, new_msg, 0, 127052, 1310720, 10809740, 2012750850} "\0\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\23\25\0\300\24\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\244\0x\363\244\0x\1\24\0\300\27\25\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1502, 0} "\7\370\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\23\25\0\300\24\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\244\0x\363\244\0x\1\24\0\300\27\25\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 00945   560   NtRequestWaitReplyPort  (144, {44, 68, new_msg, 0, 420, 560, 1499, 0}  (144, {44, 68, new_msg, 0, 420, 560, 1499, 0} "\1\240\0\0A\2\4\0\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 420, 560, 1503, 0} "\2\240\372\177\4\00\300\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 420, 560, 1503, 0}  (144, {44, 68, new_msg, 0, 420, 560, 1499, 0} "\1\240\0\0A\2\4\0\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 420, 560, 1503, 0} "\2\240\372\177\4\00\300\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 00946   560   NtRequestWaitReplyPort  (144, {64, 88, new_msg, 56, 0, 1, 0, 0}  (144, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\244\0@\0\314w\230\22\25\0@\364\244\0\250\364\244\0\0\267\362v\250\364\244\0\230\22\25\0\1\0\0\0\300\27\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 420, 560, 1504, 0} "\10\364\244\0@\0\314w\230\22\25\0@\364\244\0\250\364\244\0\0\267\362v\250\364\244\0\230\22\25\0\1\0\0\0\300\27\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 420, 560, 1504, 0}  (144, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\244\0@\0\314w\230\22\25\0@\364\244\0\250\364\244\0\0\267\362v\250\364\244\0\230\22\25\0\1\0\0\0\300\27\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 420, 560, 1504, 0} "\10\364\244\0@\0\314w\230\22\25\0@\364\244\0\250\364\244\0\0\267\362v\250\364\244\0\230\22\25\0\1\0\0\0\300\27\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00947   560   NtClose  (140, ... ) == 0x0
 00948   560   NtClose  (144, ... ) == 0x0
 00949   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) , 0, ... 144, 2, ) == 0x0
 00950   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 140, ) }, ... 140, ) == 0x0
 00951   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   560   NtQueryValueKey  (144,  (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00953   560   NtQueryValueKey  (144,  (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00954   560   NtClose  (144, ... ) == 0x0
 00955   560   NtClose  (140, ... ) == 0x0
 00956   560   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 140, ) }, ... 140, ) == 0x0
 00957   560   NtQueryValueKey  (140,  (140, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   560   NtClose  (140, ... ) == 0x0
 00959   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 10809520, ... ) }, 10809520, ... ) == 0x0
 00960   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 00961   560   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 140, ... 144, ) == 0x0
 00962   560   NtClose  (140, ... ) == 0x0
 00963   560   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa60000), 0x0, 16384, ) == 0x0
 00964   560   NtClose  (144, ... ) == 0x0
 00965   560   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 00966   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 10809836, ... ) }, 10809836, ... ) == 0x0
 00967   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 00968   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 140, ) == 0x0
 00969   560   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00970   560   NtClose  (144, ... ) == 0x0
 00971   560   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 00972   560   NtClose  (140, ... ) == 0x0
 00973   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 140, ) }, ... 140, ) == 0x0
 00974   560   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 00975   560   NtClose  (140, ... ) == 0x0
 00976   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00977   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 144, ) }, ... 144, ) == 0x0
 00978   560   NtQueryValueKey  (144,  (144, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00979   560   NtClose  (144, ... ) == 0x0
 00980   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 10809520, ... ) }, 10809520, ... ) == 0x0
 00981   560   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00982   560   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10878976, 65536, ) == 0x0
 00983   560   NtAllocateVirtualMemory  (-1, 10878976, 0, 4096, 4096, 4, ... 10878976, 4096, ) == 0x0
 00984   560   NtAllocateVirtualMemory  (-1, 10883072, 0, 8192, 4096, 4, ... 10883072, 8192, ) == 0x0
 00985   560   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 00986   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00987   560   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10809808, 112, ... 148, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10809808, 112, ... 148, 0x0, 0x0, 0x0, 112, ) == 0x0
 00988   560   NtRequestWaitReplyPort  (148, {128, 152, new_msg, 0, 126884, 1310720, 10809572, 2012750850}  (148, {128, 152, new_msg, 0, 126884, 1310720, 10809572, 2012750850} "\0\367\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\220\36\25\0\270\36\25\0( \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\373\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1507, 0} "\7\367\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\220\36\25\0\270\36\25\0( \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\373\1\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 420, 560, 1507, 0}  (148, {128, 152, new_msg, 0, 126884, 1310720, 10809572, 2012750850} "\0\367\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\220\36\25\0\270\36\25\0( \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\373\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1507, 0} "\7\367\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\220\36\25\0\270\36\25\0( \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\373\1\0\0\5\0\0\0" )  ) == 0x0
 00989   560   NtRequestWaitReplyPort  (148, {64, 88, new_msg, 0, 420, 560, 1503, 0}  (148, {64, 88, new_msg, 0, 420, 560, 1503, 0} "\1\240\0\0A\2\10\0\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 420, 560, 1508, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 420, 560, 1508, 0}  (148, {64, 88, new_msg, 0, 420, 560, 1503, 0} "\1\240\0\0A\2\10\0\0\0\0\0O\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 420, 560, 1508, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 00990   560   NtClose  (144, ... ) == 0x0
 00991   560   NtClose  (148, ... ) == 0x0
 00992   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 00806   548   NtDelayExecution  ... ) == 0x0
 00809   520   NtDelayExecution  ... ) == 0x0
 00993   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... , 0, ...
 00994   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... , 0x0, 0, ...
 00993   548   NtUserFindWindowEx  ... ) == 0x0
 00994   520   NtUserFindWindowEx  ... ) == 0x0
 00995   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... , 0, ...
 00996   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... , 0x0, 0, ...
 00995   548   NtUserFindWindowEx  ... ) == 0x0
 00996   520   NtUserFindWindowEx  ... ) == 0x0
 00992   560   NtCreateKey  ... 148, 2, ) == 0x0
 00997   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... , 0x0, 0, ...
 00998   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 00999   548   NtDelayExecution  (0, {-100000, -1}, ...
 00998   560   NtOpenKey  ... 144, ) == 0x0
 01000   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   560   NtQueryValueKey  (148,  (148, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01002   560   NtQueryValueKey  (148,  (148, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01003   560   NtClose  (148, ... ) == 0x0
 01004   560   NtClose  (144, ...
 00997   520   NtUserFindWindowEx  ... ) == 0x0
 01005   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01006   520   NtDelayExecution  (0, {-100000, -1}, ...
 01004   560   NtClose  ... ) == 0x0
 01007   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) , 0, ... 144, 2, ) == 0x0
 01008   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01009   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   560   NtQueryValueKey  (144,  (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01011   560   NtQueryValueKey  (144,  (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01012   560   NtClose  (144, ... ) == 0x0
 01013   560   NtClose  (148, ... ) == 0x0
 01014   560   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01015   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01016   560   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10809608, 112, ... 144, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10809608, 112, ... 144, 0x0, 0x0, 0x0, 112, ) == 0x0
 01017   560   NtRequestWaitReplyPort  (144, {128, 152, new_msg, 0, 126684, 1310720, 10809372, 2012750850}  (144, {128, 152, new_msg, 0, 126684, 1310720, 10809372, 2012750850} "\0\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220"\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1512, 0} "\7\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220"\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ) \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0 (144, {128, 152, new_msg, 0, 126684, 1310720, 10809372, 2012750850} "\0\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220"\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1512, 0} "\7\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220"\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ) \7\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220 (144, {128, 152, new_msg, 0, 126684, 1310720, 10809372, 2012750850} "\0\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wX\26\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220"\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 420, 560, 1512, 0} "\7\366\244\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\214\363\244\0\250\15\25\0\220"\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01018   560   NtRequestWaitReplyPort  (144, {64, 88, new_msg, 0, 420, 560, 1508, 0}  (144, {64, 88, new_msg, 0, 420, 560, 1508, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 420, 560, 1513, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 420, 560, 1513, 0}  (144, {64, 88, new_msg, 0, 420, 560, 1508, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 420, 560, 1513, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01019   560   NtClose  (148, ... ) == 0x0
 01020   560   NtClose  (144, ... ) == 0x0
 01021   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 144, 2, ) , 0, ... 144, 2, ) == 0x0
 01022   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01023   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   560   NtQueryValueKey  (144,  (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01025   560   NtQueryValueKey  (144,  (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01026   560   NtClose  (144, ... ) == 0x0
 01027   560   NtClose  (148, ... ) == 0x0
 01028   560   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 148, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 148, 2, ) , 0, ... 148, 2, ) == 0x0
 01029   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 01030   560   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   560   NtQueryValueKey  (148,  (148, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01032   560   NtQueryValueKey  (148,  (148, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01033   560   NtClose  (148, ... ) == 0x0
 01034   560   NtClose  (144, ... ) == 0x0
 01035   560   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 01036   560   NtQueryValueKey  (144,  (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01037   560   NtQueryValueKey  (144,  (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01038   560   NtQueryValueKey  (144,  (144, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   560   NtClose  (144, ... ) == 0x0
 01040   560   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 10810512, ... ) }, 10810512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   560   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 10810512, ... ) }, 10810512, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   560   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 10810512, ... ) }, 10810512, ... ) == 0x0
 01044   560   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01045   560   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 148, ) == 0x0
 01046   560   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01047   560   NtClose  (144, ... ) == 0x0
 01048   560   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01049   560   NtClose  (148, ... ) == 0x0
 01050   560   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) == 0x0
 01051   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01052   560   NtDeviceIoControlFile  (148, 144, 0x0, 0x0, 0xf14014,  (148, 144, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\20\0\0\0\0\360\375\177h\2\374v\1\0\0\0\330\365\244\0<\371\244\0<\371\244\0\2$\370w\310j\367w\377\377\377\377\364j\365w$P\374w`i\365w\0\0\0\0\10\0\25\300\0\0\0\0\10\6\24\0\10,$\0\254\36$\0P-$\0\0\300\375\177\24\232\347wK\25\26\0x\26\25\0\206\26\25\0L\25\25\0@-$\0\30\0\26\2\10\367\244\0\10\367\244\0r\0a\0s\0a\0d\0h\0l\0p\0.\0d\0l\0l\0\0\0\0\0L\25\25\0\377\377\0\0\1\0\0\0\10\34\25\0\20!\25\0 \0\0\0\0\0\0\0\210\1\24\0\10!\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q@\25\25\0,\25\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0 !\1\1\0\0\24\0\330\366\244\0\270\373\244\0\300\376\244\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q !\25\0\300\24\25\0\230\364\24\0\260\364\24\0x\26\25\0\206\26\25\0L\25\25\0\377\377\0\0\0\0\0\0L\25\25\0\7\0\0\0x\26\25\0\10\370\244\0\177;\245q\0\0\0\0\0\0\0\0x\26\25\0\0\0\0\0L\25\25\0\377\377\0\0\1\0\0\0\230\1\24\0\370\33\25\0\20\0\0\0\0\0\0\0\230\1\24\0\360\33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q@\25\25\0,\25\25\0\4\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0H5\1\1\0\0\24\0\240\367\244\0\200\374\244\0\300\376\244\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245qH5\24\0\300\24\25\0\230\364\24\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01053   560   NtClose  (144, ... ) == 0x0
 01054   560   NtClose  (148, ... ) == 0x0
 01055   560   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01056   560   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) == 0x0
 01057   560   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01058   560   NtDeviceIoControlFile  (148, 144, 0x0, 0x0, 0xf14014,  (148, 144, 0x0, 0x0, 0xf14014, "\3\0\0\0192.168.124.129\0\260\15\25\0\260\15\25\0\0\0\0\0\300\366\244\0\333F\245q\0\0\0\0\300.\24\0\330$\25\0"\2\373\177p\367\244\0\0\0\0\0\263\26\365wP\36\25\0q\26\365w\30\7\24\0\215\26\365w\0\0\0\0\350\24\25\0\310\242\24\0\24\232\347wK\25\26\0\330$\25\0\366$\25\0L\25\25\0\377\377\0\0\0\0\0\0L\25\25\0\17\0\0\0\330$\25\0\34\367\244\0\177;\245q\0\0\0\0\0\0\0\0\330$\25\0\0\0\0\0L\25\25\0\377\377\0\0\1\0\0\0\0\0\0\0\250$\25\0L\25\25\0\230$\25\0\\367\244\0}<\245qL\25\25\0\0\0\0\0\330$\25\0\365<\245q@\25\25\0,\25\25\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\310\242\1\0\0\0\24\0\264\366\244\0\224\373\244\0\234\376\244\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\310\242\24\0\300\24\25\0\230\364\24\0\260\364\24\0a/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q !\25\0\300\24\25\0\230\364\24\0\260\364\24\0x\26\25\0\206\26\25\0L\25\25\0\377\377\0\0\0\0\0\0L\25\25\0\7\0\0\0x\26\25\0\10\370\244\0\177;\245q\0\0\0\0\0\0\0\0x\26\25\0\0\0\0\0L\25\25\0\377\377\0\0\1\0\0\0\230\1\24\0\370\33\25\0\20\0\0\0\0\0\0\0\230\1\24\0\360\33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q@\25\25\0,\25\25\0\4\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0H5\1\1\0\0\24\0\240\367\244\0\200\374\244\0\300\376\244\0\2$\370w", 1552, 0, ... {status=0x0, info=0}, 0x0, ) \2\373\177p\367\244\0\0\0\0\0\263\26\365wP\36\25\0q\26\365w\30\7\24\0\215\26\365w\0\0\0\0\350\24\25\0\310\242\24\0\24\232\347wK\25\26\0\330$\25\0\366$\25\0L\25\25\0\377\377\0\0\0\0\0\0L\25\25\0\17\0\0\0\330$\25\0\34\367\244\0\177;\245q\0\0\0\0\0\0\0\0\330$\25\0\0\0\0\0L\25\25\0\377\377\0\0\1\0\0\0\0\0\0\0\250$\25\0L\25\25\0\230$\25\0\\367\244\0}<\245qL\25\25\0\0\0\0\0\330$\25\0\365<\245q@\25\25\0,\25\25\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\310\242\1\0\0\0\24\0\264\366\244\0\224\373\244\0\234\376\244\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\310\242\24\0\300\24\25\0\230\364\24\0\260\364\24\0a/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q !\25\0\300\24\25\0\230\364\24\0\260\364\24\0x\26\25\0\206\26\25\0L\25\25\0\377\377\0\0\0\0\0\0L\25\25\0\7\0\0\0x\26\25\0\10\370\244\0\177;\245q\0\0\0\0\0\0\0\0x\26\25\0\0\0\0\0L\25\25\0\377\377\0\0\1\0\0\0\230\1\24\0\370\33\25\0\20\0\0\0\0\0\0\0\230\1\24\0\360\33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q@\25\25\0,\25\25\0\4\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0H5\1\1\0\0\24\0\240\367\244\0\200\374\244\0\300\376\244\0\2$\370w", 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01059   560   NtClose  (144, ... ) == 0x0
 01060   560   NtClose  (148, ... ) == 0x0
 01061   560   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 01062   560   NtAllocateVirtualMemory  (-1, 13414400, 0, 20480, 4096, 4, ... 13414400, 20480, ) == 0x0
 01063   560   NtProtectVirtualMemory  (-1, (0xccb000), 4096, 260, ... (0xccb000), 4096, 4, ) == 0x0
 01064   560   NtCreateThread  (0x1f03ff, 0x0, -1, 10812340, 10813056, 1, ... 148, {420, 732}, ) == 0x0
 01065   560   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=420,Tid=732,}, 0x0, ) == 0x0
 01066   560   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 2012550835, 1384040, 2012550769}  (24, {28, 56, new_msg, 0, 0, 2012550835, 1384040, 2012550769} "\0\0\0\0\1\0\1\0\220\36\25\0p\36\25\0\224\0\0\0\244\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 420, 560, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\36\25\0\224\0\0\0\244\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 420, 560, 1515, 0}  (24, {28, 56, new_msg, 0, 0, 2012550835, 1384040, 2012550769} "\0\0\0\0\1\0\1\0\220\36\25\0p\36\25\0\224\0\0\0\244\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 420, 560, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\36\25\0\224\0\0\0\244\1\0\0\334\2\0\0" )  ) == 0x0
 01067   560   NtResumeThread  (148, ... 1, ) == 0x0
 01068   560   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 01069   560   NtAllocateVirtualMemory  (-1, 14462976, 0, 20480, 4096, 4, ... 14462976, 20480, ) == 0x0
 01070   732   NtTestAlert  (... ) == 0x0
 01071   732   NtContinue  (13434160, 1, ...
 01072   732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01073   732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01074   732   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 01075   732   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431296, ... }, 13431296, ...
 01076   560   NtProtectVirtualMemory  (-1, (0xdcb000), 4096, 260, ... (0xdcb000), 4096, 4, ) == 0x0
 01077   560   NtCreateThread  (0x1f03ff, 0x0, -1, 10812340, 10813056, 1, ... 152, {420, 744}, ) == 0x0
 01078   560   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=420,Tid=744,}, 0x0, ) == 0x0
 01079   560   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 420, 560, 1515, 0}  (24, {28, 56, new_msg, 0, 420, 560, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\36\25\0\230\0\0\0\244\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 420, 560, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\36\25\0\230\0\0\0\244\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 420, 560, 1516, 0}  (24, {28, 56, new_msg, 0, 420, 560, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\36\25\0\230\0\0\0\244\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 420, 560, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0p\36\25\0\230\0\0\0\244\1\0\0\350\2\0\0" )  ) == 0x0
 01080   560   NtResumeThread  (152, ... 1, ) == 0x0
 01081   560   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01075   732   NtQueryAttributesFile  ... ) == 0x0
 01082   744   NtWaitForSingleObject  (28, 0, 0x0, ...
 01083   732   NtSetEventBoostPriority  (28, ...
 01082   744   NtWaitForSingleObject  ... ) == 0x0
 01084   744   NtTestAlert  (... ) == 0x0
 01083   732   NtSetEventBoostPriority  ... ) == 0x0
 01081   560   NtAllocateVirtualMemory  ... 14483456, 1048576, ) == 0x0
 01085   732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01086   560   NtAllocateVirtualMemory  (-1, 15511552, 0, 20480, 4096, 4, ...
 01085   732   NtCreateEvent  ... 156, ) == 0x0
 01086   560   NtAllocateVirtualMemory  ... 15511552, 20480, ) == 0x0
 01087   732   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 13430940, ... }, 13430940, ...
 01088   560   NtProtectVirtualMemory  (-1, (0xecb000), 4096, 260, ...
 01089   744   NtContinue  (14482736, 1, ...
 01088   560   NtProtectVirtualMemory  ... (0xecb000), 4096, 4, ) == 0x0
 01090   744   NtRegisterThreadTerminatePort  (24, ...
 01091   560   NtCreateThread  (0x1f03ff, 0x0, -1, 10812352, 10813068, 1, ...
 01090   744   NtRegisterThreadTerminatePort  ... ) == 0x0
 01087   732   NtQueryAttributesFile  ... ) == 0x0
 01092   744   NtQueryValueKey  (84,  (84, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01093   732   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01092   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   732   NtOpenKey  ... 160, ) == 0x0
 01094   744   NtQueryValueKey  (84,  (84, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 01095   732   NtQueryValueKey  (160,  (160, "Transports", Partial, 144, ... , Partial, 144, ...
 01091   560   NtCreateThread  ... 164, {420, 792}, ) == 0x0
 01095   732   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01096   560   NtQueryInformationThread  (164, Basic, 28, ...
 01097   732   NtQueryValueKey  (160,  (160, "Transports", Partial, 144, ... , Partial, 144, ...
 01096   560   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=420,Tid=792,}, 0x0, ) == 0x0
 01094   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   560   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 65537, 0}  (24, {28, 56, new_msg, 0, 0, 0, 65537, 0} "\0\0\0\0\1\0\1\0\244\1\0\0\350\2\0\0\244\0\0\0\244\1\0\0\30\3\0\0" ...  ...
 01099   744   NtQueryValueKey  (84,  (84, "CertificateRevocation", Partial, 144, ... , Partial, 144, ...
 01098   560   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 420, 560, 1517, 0}  ... {28, 56, reply, 0, 420, 560, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\350\2\0\0\244\0\0\0\244\1\0\0\30\3\0\0" )  ) == 0x0
 01099   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   732   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01100   744   NtQueryValueKey  (84,  (84, "DisableKeepAlive", Partial, 144, ... , Partial, 144, ...
 01101   732   NtClose  (160, ...
 01100   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   732   NtClose  ... ) == 0x0
 01102   744   NtQueryValueKey  (84,  (84, "DisablePassport", Partial, 144, ... , Partial, 144, ...
 01103   732   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01104   560   NtResumeThread  (164, ...
 01103   732   NtOpenKey  ... 160, ) == 0x0
 01104   560   NtResumeThread  ... 1, ) == 0x0
 01105   732   NtQueryValueKey  (160,  (160, "Mapping", Partial, 144, ... , Partial, 144, ...
 01106   560   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01102   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   792   NtTestAlert  (...
 01106   560   NtAllocateVirtualMemory  ... 15532032, 1048576, ) == 0x0
 01108   744   NtQueryValueKey  (84,  (84, "CacheMode", Partial, 144, ... , Partial, 144, ...
 01107   792   NtTestAlert  ... ) == 0x0
 01109   560   NtAllocateVirtualMemory  (-1, 16560128, 0, 20480, 4096, 4, ...
 01108   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   792   NtContinue  (15531312, 1, ...
 01109   560   NtAllocateVirtualMemory  ... 16560128, 20480, ) == 0x0
 01111   744   NtQueryValueKey  (84,  (84, "EnableHttp1_1", Partial, 144, ... , Partial, 144, ...
 01112   792   NtRegisterThreadTerminatePort  (24, ...
 01105   732   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01111   744   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01112   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01113   732   NtQueryValueKey  (160,  (160, "Mapping", Partial, 144, ... , Partial, 144, ...
 01114   744   NtQueryValueKey  (84,  (84, "ProxyHttp1.1", Partial, 144, ... , Partial, 144, ...
 01115   560   NtProtectVirtualMemory  (-1, (0xfcb000), 4096, 260, ...
 01113   732   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01116   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01115   560   NtProtectVirtualMemory  ... (0xfcb000), 4096, 4, ) == 0x0
 01117   732   NtQueryValueKey  (160,  (160, "Mapping", Partial, 152, ... , Partial, 152, ...
 01116   792   NtDuplicateObject  ... 168, ) == 0x0
 01118   560   NtCreateThread  (0x1f03ff, 0x0, -1, 10812352, 10813068, 1, ...
 01117   732   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01119   792   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01118   560   NtCreateThread  ... 172, {420, 676}, ) == 0x0
 01120   732   NtClose  (160, ...
 01119   792   NtWaitForSingleObject  ... ) == 0x102
 01121   560   NtQueryInformationThread  (172, Basic, 28, ...
 01114   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   792   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01121   560   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=420,Tid=676,}, 0x0, ) == 0x0
 01123   744   NtQueryValueKey  (84,  (84, "EnableNegotiate", Partial, 144, ... , Partial, 144, ...
 01120   732   NtClose  ... ) == 0x0
 01122   792   NtCreateEvent  ... 160, ) == 0x0
 01123   744   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01124   732   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01125   792   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01126   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... }, ...
 01124   732   NtOpenKey  ... 176, ) == 0x0
 01125   792   NtCreateEvent  ... 180, ) == 0x0
 01126   744   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   732   NtQueryValueKey  (176,  (176, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01128   792   NtWaitForSingleObject  (180, 0, 0x0, ...
 01129   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 14480668, ... }, 14480668, ...
 01127   732   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01130   560   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 420, 560, 1517, 0}  (24, {28, 56, new_msg, 0, 420, 560, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\350\2\0\0\254\0\0\0\244\1\0\0\244\2\0\0" ...  ...
 01131   732   NtQueryValueKey  (176,  (176, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01130   560   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 420, 560, 1518, 0}  ... {28, 56, reply, 0, 420, 560, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\350\2\0\0\254\0\0\0\244\1\0\0\244\2\0\0" )  ) == 0x0
 01132   560   NtResumeThread  (172, ... 1, ) == 0x0
 01133   560   NtDelayExecution  (0, {-100000000, -1}, ...
 01131   732   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01134   732   NtQueryValueKey  (176,  (176, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01135   732   NtQueryValueKey  (176,  (176, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (176, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01136   732   NtWaitForSingleObject  (28, 0, 0x0, ...
 01137   676   NtWaitForSingleObject  (28, 0, 0x0, ...
 01129   744   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 14480668, ... ) }, 14480668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 14480668, ... ) }, 14480668, ... ) == 0x0
 01140   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01141   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 188, ) == 0x0
 01142   744   NtQuerySection  (188, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01143   744   NtClose  (184, ... ) == 0x0
 01144   744   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01145   744   NtClose  (188, ... ) == 0x0
 01146   744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 188, ) == 0x0
 01147   744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 184, ) == 0x0
 01148   744   NtSetEventBoostPriority  (28, ...
 01137   676   NtWaitForSingleObject  ... ) == 0x0
 01149   676   NtSetEventBoostPriority  (28, ...
 01136   732   NtWaitForSingleObject  ... ) == 0x0
 01150   732   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13431860, ... ) }, 13431860, ... ) == 0x0
 01151   732   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01149   676   NtSetEventBoostPriority  ... ) == 0x0
 01148   744   NtSetEventBoostPriority  ... ) == 0x0
 01152   732   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ...
 01153   744   NtWaitForSingleObject  (28, 0, 0x0, ...
 01152   732   NtCreateSection  ... 196, ) == 0x0
 01154   732   NtClose  (192, ... ) == 0x0
 01155   732   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa70000), 0x0, 20480, ) == 0x0
 01156   732   NtClose  (196, ... ) == 0x0
 01157   732   NtUnmapViewOfSection  (-1, 0xa70000, ... ) == 0x0
 01158   732   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13432176, ... ) }, 13432176, ... ) == 0x0
 01159   676   NtTestAlert  (... ) == 0x0
 01160   676   NtContinue  (16579888, 1, ...
 01161   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01162   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 196, ) == 0x0
 01163   676   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 01164   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01165   732   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 200, {status=0x0, info=1}, ) }, 5, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01166   732   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ... 204, ) == 0x0
 01167   732   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   732   NtClose  (200, ... ) == 0x0
 01169   732   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01170   732   NtClose  (204, ... ) == 0x0
 01171   676   NtWaitForSingleObject  (180, 0, 0x0, ...
 01172   732   NtSetEventBoostPriority  (28, ...
 01153   744   NtWaitForSingleObject  ... ) == 0x0
 01173   744   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 204, ) }, ... 204, ) == 0x0
 01174   744   NtQueryEvent  (204, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01175   744   NtClose  (204, ... ) == 0x0
 01176   744   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 14482152, 140, ... , {12, 2, 1, 0}, 0x0, 0x0, 14482152, 140, ...
 01172   732   NtSetEventBoostPriority  ... ) == 0x0
 01177   732   NtClose  (176, ... ) == 0x0
 01178   732   NtSetEventBoostPriority  (180, ...
 01128   792   NtWaitForSingleObject  ... ) == 0x0
 01179   792   NtSetEventBoostPriority  (180, ...
 01171   676   NtWaitForSingleObject  ... ) == 0x0
 01180   676   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16580116, 67, ... 176, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16580116, 67, ... 176, {status=0x0, info=0}, ) == 0x0
 01181   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x1207b,  (176, 192, 0x0, 0x0, 0x1207b, "\7\0\0\0\0\0\0\0\20U\367\0\17\346\367w", 16, 16, ... , 16, 16, ...
 01179   792   NtSetEventBoostPriority  ... ) == 0x0
 01178   732   NtSetEventBoostPriority  ... ) == 0x0
 01176   744   NtConnectPort  ... 204, 0x0, 0x0, 256, 140, ) == 0x0
 01181   676   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0P\337\14\201", ) , ) == 0x0
 01182   792   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01183   744   NtRequestWaitReplyPort  (204, {28, 52, new_msg, 0, 0, 0, 0, 0}  (204, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ...  ...
 01184   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x1207b,  (176, 192, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0P\337\14\201", 16, 16, ... , 16, 16, ...
 01182   792   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01183   744   NtRequestWaitReplyPort  ... {176, 200, reply, 0, 420, 744, 1520, 0}  ... {176, 200, reply, 0, 420, 744, 1520, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01184   676   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0P\337\14\201", ) , ) == 0x0
 01185   792   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 15531540, 67, ... }, 0x0, 0, 3, 3, 0, 15531540, 67, ...
 01186   744   NtQueryValueKey  (84,  (84, "SyncMode5", Partial, 144, ... , Partial, 144, ...
 01187   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x12047,  (176, 192, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230.\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01185   792   NtCreateFile  ... 200, {status=0x0, info=0}, ) == 0x0
 01186   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   676   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01188   792   NtDeviceIoControlFile  (200, 160, 0x0, 0x0, 0x12047,  (200, 160, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01189   732   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13434376, 67, ... }, 0x0, 0, 3, 3, 0, 13434376, 67, ...
 01190   676   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01188   792   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01189   732   NtCreateFile  ... 208, {status=0x0, info=0}, ) == 0x0
 01191   744   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... }, ...
 01190   676   NtWaitForSingleObject  ... ) == 0x102
 01192   732   NtDeviceIoControlFile  (208, 156, 0x0, 0x0, 0x12047,  (208, 156, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210&\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01191   744   NtOpenKey  ... 212, ) == 0x0
 01193   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x12003,  (176, 192, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\30\252\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01192   732   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01194   744   NtQueryValueKey  (212,  (212, "FixupKey", Partial, 144, ... , Partial, 144, ...
 01193   676   NtDeviceIoControlFile  ... {status=0x0, info=216},  ... {status=0x0, info=216}, "\1\0\0\0\1\0\0\0\16\0\2\0\30\252\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01195   732   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01194   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x12047,  (176, 192, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\30\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01197   744   NtClose  (212, ...
 01196   676   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01197   744   NtClose  ... ) == 0x0
 01198   792   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01195   732   NtWaitForSingleObject  ... ) == 0x102
 01199   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x1200b,  (176, 192, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 01198   792   NtWaitForSingleObject  ... ) == 0x102
 01200   732   NtDeviceIoControlFile  (208, 156, 0x0, 0x0, 0x12003,  (208, 156, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\21\323\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01199   676   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01201   792   NtDeviceIoControlFile  (200, 160, 0x0, 0x0, 0x12003,  (200, 160, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\260\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01200   732   NtDeviceIoControlFile  ... {status=0x0, info=212},  ... {status=0x0, info=212}, "\1\0\0\0\1\0\0\0\16\0\2\0\21\323\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01202   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x12047,  (176, 192, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\30\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01201   792   NtDeviceIoControlFile  ... {status=0x0, info=220},  ... {status=0x0, info=220}, "\1\0\0\0\1\0\0\0\16\0\2\0\260\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01203   732   NtDeviceIoControlFile  (208, 156, 0x0, 0x0, 0x12047,  (208, 156, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\21\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01202   676   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01204   792   NtDeviceIoControlFile  (200, 160, 0x0, 0x0, 0x12047,  (200, 160, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01203   732   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01205   676   NtDeviceIoControlFile  (176, 192, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01206   744   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01207   732   NtDeviceIoControlFile  (208, 156, 0x0, 0x0, 0x1200b,  (208, 156, 0x0, 0x0, 0x1200b, "\0\21\252q\377\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 01205   676   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01206   744   NtOpenKey  ... 224, ) == 0x0
 01204   792   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01207   732   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01208   744   NtQueryValueKey  (224,  (224, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... , Partial, 144, ...
 01209   792   NtDeviceIoControlFile  (200, 160, 0x0, 0x0, 0x1200b,  (200, 160, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 01210   732   NtDeviceIoControlFile  (208, 156, 0x0, 0x0, 0x12047,  (208, 156, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\21\323\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01208   744   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   792   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01210   732   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01211   744   NtClose  (224, ...
 01212   792   NtDeviceIoControlFile  (200, 160, 0x0, 0x0, 0x12047,  (200, 160, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01213   732   NtDeviceIoControlFile  (208, 156, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01211   744   NtClose  ... ) == 0x0
 01212   792   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01213   732   NtDeviceIoControlFile  ... {status=0xccfd94, info=248},  ... {status=0xccfd94, info=248}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", ) , ) == 0x103
 01214   792   NtDeviceIoControlFile  (200, 160, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01215   744   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01216   676   NtWaitForSingleObject  (192, 1, {-5000000, -1}, ...
 01215   744   NtOpenKey  ... 224, ) == 0x0
 01217   744   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01218   744   NtQueryValueKey  (228,  (228, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01219   744   NtClose  (228, ... ) == 0x0
 01220   744   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 228, ) }, ... 228, ) == 0x0
 01221   744   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 232, ) }, ... 232, ) == 0x0
 01214   792   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01222   732   NtWaitForSingleObject  (156, 1, {-5000000, -1}, ...
 01223   792   NtWaitForSingleObject  (160, 1, {-5000000, -1}, ...
 01224   744   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 236, ) }, ... 236, ) == 0x0
 01225   744   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 240, ) }, ... 240, ) == 0x0
 01226   744   NtQueryValueKey  (240,  (240, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01227   744   NtQueryValueKey  (240,  (240, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01228   744   NtClose  (240, ... ) == 0x0
 01229   744   NtOpenKey  (0xf, {24, 68, 0x40, 0, 0,  (0xf, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 240, ) }, ... 240, ) == 0x0
 01230   744   NtQueryValueKey  (240,  (240, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01231   744   NtQueryValueKey  (240,  (240, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01232   744   NtQueryValueKey  (240,  (240, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01233   744   NtQueryValueKey  (240,  (240, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01234   744   NtQueryValueKey  (240,  (240, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01235   744   NtQueryValueKey  (240,  (240, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (240, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01236   744   NtClose  (240, ... ) == 0x0
 01237   744   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "Content"}, ... 240, ) }, ... 240, ) == 0x0
 01238   744   NtQueryValueKey  (240,  (240, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01239   744   NtClose  (240, ... ) == 0x0
 01240   744   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "Content"}, ... 240, ) }, ... 240, ) == 0x0
 01241   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 244, ) }, ... 244, ) == 0x0
 01242   744   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 01243   744   NtClose  (244, ... ) == 0x0
 01244   744   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 01245   744   NtQueryValueKey  (244,  (244, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01246   744   NtClose  (244, ... ) == 0x0
 01247   744   NtQueryDefaultUILanguage  (14477120, ...
 01248   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01249   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482128, ) == 0x0
 01250   744   NtQueryInformationToken  (-2147482128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01251   744   NtClose  (-2147482128, ... ) == 0x0
 01252   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482128, ) }, ... -2147482128, ) == 0x0
 01253   744   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   744   NtOpenKey  (0x80000000, {24, -2147482128, 0x640, 0, 0,  (0x80000000, {24, -2147482128, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482124, ) }, ... -2147482124, ) == 0x0
 01255   744   NtQueryValueKey  (-2147482124,  (-2147482124, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   744   NtClose  (-2147482124, ... ) == 0x0
 01257   744   NtClose  (-2147482128, ... ) == 0x0
 01247   744   NtQueryDefaultUILanguage  ... ) == 0x0
 01258   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 244, {status=0x0, info=1}, ) }, 1, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01260   744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 244, ... 248, ) == 0x0
 01261   744   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xfd0000), 0x0, 8323072, ) == 0x0
 01262   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   744   NtQueryDefaultLocale  (1, 14475156, ... ) == 0x0
 01264   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 14476012, 1, 96, 0}  (24, {128, 156, new_msg, 0, 14476012, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\346\334\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\364\0\0\0\377\377\377\377\0\0\0\0\20\3114\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\354\351\334\0\0\0\0\0" ...  ...
 00999   548   NtDelayExecution  ... ) == 0x0
 01266   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Create rule for packed.exe", 0, ... ) , 0, ... ) == 0x0
 01267   548   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Ñîçäàòü ïðàâèëî äëÿ packed.exe", 0, ... , 0, ...
 01006   520   NtDelayExecution  ... ) == 0x0
 01267   548   NtUserFindWindowEx  ... ) == 0x0
 01265   744   NtRequestWaitReplyPort  ... {128, 156, reply, 0, 420, 744, 1521, 0}  ... {128, 156, reply, 0, 420, 744, 1521, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\334\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\364\0\0\0\377\377\377\377\0\0\0\0\20\3114\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\354\351\334\0\0\0\0\0" )  ) == 0x0
 01268   548   NtDelayExecution  (0, {-100000, -1}, ...
 01269   744   NtClose  (244, ... ) == 0x0
 01270   744   NtClose  (248, ... ) == 0x0
 01271   744   NtUnmapViewOfSection  (-1, 0xfd0000, ... ) == 0x0
 01272   744   NtUnmapViewOfSection  (-1, 0xdce9ec, ... ) == STATUS_NOT_MAPPED_VIEW
 01273   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01274   744   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... }, ...
 01275   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AlertDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01276   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhLearnDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01277   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.AhAppChangedDialog", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01278   520   NtUserFindWindowEx  (0, 0,  (0, 0, "AVP.Product_Notification", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01279   520   NtDelayExecution  (0, {-100000, -1}, ...
 01274   744   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01281   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01282   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 14474240, ... ) }, 14474240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01284   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01285   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01286   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 14474832, ... ) }, 14474832, ... ) == 0x0
 01287   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 248, {status=0x0, info=1}, ) }, 3, 33, ... 248, {status=0x0, info=1}, ) == 0x0
 01288   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01289   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01290   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 252, ) == 0x0
 01291   744   NtClose  (244, ... ) == 0x0
 01292   744   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xfd0000), 0x0, 921600, ) == 0x0
 01293   744   NtClose  (252, ... ) == 0x0
 01294   744   NtUnmapViewOfSection  (-1, 0xfd0000, ... ) == 0x0
 01295   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 01296   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 244, ) == 0x0
 01297   744   NtQuerySection  (244, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01298   744   NtClose  (252, ... ) == 0x0
 01299   744   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01300   744   NtClose  (244, ... ) == 0x0
 01301   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01302   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01303   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01304   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01305   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01306   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01307   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01308   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01309   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01310   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01311   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01312   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01313   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01314   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01315   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01316   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01317   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01318   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01319   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01320   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01321   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01322   744   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 14476016, ... ) , 42, 14476016, ... ) == 0x0
 01323   744   NtQueryDefaultUILanguage  (14474732, ...
 01324   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01325   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482128, ) == 0x0
 01326   744   NtQueryInformationToken  (-2147482128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01327   744   NtClose  (-2147482128, ... ) == 0x0
 01328   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482128, ) }, ... -2147482128, ) == 0x0
 01329   744   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   744   NtOpenKey  (0x80000000, {24, -2147482128, 0x640, 0, 0,  (0x80000000, {24, -2147482128, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482124, ) }, ... -2147482124, ) == 0x0
 01331   744   NtQueryValueKey  (-2147482124,  (-2147482124, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   744   NtClose  (-2147482124, ... ) == 0x0
 01333   744   NtClose  (-2147482128, ... ) == 0x0
 01323   744   NtQueryDefaultUILanguage  ... ) == 0x0
 01334   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 14473584, ... ) }, 14473584, ... ) == 0x0
 01336   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01337   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ... 252, ) == 0x0
 01338   744   NtClose  (244, ... ) == 0x0
 01339   744   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa80000), 0x0, 4096, ) == 0x0
 01340   744   NtClose  (252, ... ) == 0x0
 01341   744   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 01342   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 14473224, ... ) }, 14473224, ... ) == 0x0
 01343   744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 14473924,  (0x80100080, {24, 0, 0x40, 0, 14473924, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 252, {status=0x0, info=1}, ) == 0x0
 01344   744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 252, ... 244, ) == 0x0
 01345   744   NtClose  (252, ... ) == 0x0
 01346   744   NtMapViewOfSection  (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa80000), {0, 0}, 4096, ) == 0x0
 01347   744   NtClose  (244, ... ) == 0x0
 01348   744   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 01349   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 244, {status=0x0, info=1}, ) }, 1, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01350   744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 244, ... 252, ) == 0x0
 01351   744   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa80000), 0x0, 4096, ) == 0x0
 01352   744   NtQueryInformationFile  (244, 14473544, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01353   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 14473624, 1, 96, 0}  (24, {128, 156, new_msg, 0, 14473624, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\364\0\0\0\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\340\334\0\0\0\0\0" ... {128, 156, reply, 0, 420, 744, 1522, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\364\0\0\0\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\340\334\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 744, 1522, 0}  (24, {128, 156, new_msg, 0, 14473624, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\364\0\0\0\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\340\334\0\0\0\0\0" ... {128, 156, reply, 0, 420, 744, 1522, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1\364\0\0\0\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\230\340\334\0\0\0\0\0" )  ) == 0x0
 01355   744   NtClose  (244, ... ) == 0x0
 01356   744   NtClose  (252, ... ) == 0x0
 01357   744   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 01358   744   NtUnmapViewOfSection  (-1, 0xdce098, ... ) == STATUS_NOT_MAPPED_VIEW
 01359   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01360   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 252, ) == 0x0
 01361   744   NtCallbackReturn  (0, 0, 0, ...
 01362   744   NtUserGetThreadState  (18, ... ) == 0x1
 01363   744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01364   744   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01365   744   NtUserGetDC  (0, ... ) == 0x1010052
 01366   744   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01367   744   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 01368   744   NtUserSystemParametersInfo  (66, 12, 14476036, 0, ... ) == 0x1
 01369   744   NtOpenProcessToken  (-1, 0x8, ... 244, ) == 0x0
 01370   744   NtAccessCheck  (1389656, 244, 0x1, 14475440, 14475384, 56, 14475468, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01371   744   NtClose  (244, ... ) == 0x0
 01372   744   NtOpenKey  (0x20019, {24, 68, 0x40, 0, 0,  (0x20019, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 244, ) }, ... 244, ) == 0x0
 01373   744   NtQueryValueKey  (244,  (244, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   744   NtClose  (244, ... ) == 0x0
 01375   744   NtUserSystemParametersInfo  (41, 500, 14475536, 0, ... ) == 0x1
 01376   744   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 244, ) }, ... 244, ) == 0x0
 01377   744   NtQueryValueKey  (244,  (244, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   744   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 256, ) }, ... 256, ) == 0x0
 01379   744   NtQueryValueKey  (256,  (256, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   744   NtClose  (256, ... ) == 0x0
 01381   744   NtClose  (244, ... ) == 0x0
 01382   744   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 01383   744   NtUserSystemParametersInfo  (4130, 0, 14476060, 0, ... ) == 0x1
 01384   744   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 244, ) }, ... 244, ) == 0x0
 01385   744   NtEnumerateValueKey  (244, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01386   744   NtClose  (244, ... ) == 0x0
 01387   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01388   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc03b
 01389   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc03d
 01390   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01391   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc03f
 01392   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01393   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ...
 01394   744   NtAllocateVirtualMemory  (-1, 6651904, 0, 4096, 4096, 32, ... 6651904, 4096, ) == 0x0
 01393   744   NtUserRegisterClassExWOW  ... ) == 0x810bc041
 01395   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01396   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc043
 01397   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc045
 01398   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01399   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc047
 01400   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01401   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc049
 01402   744   NtUserGetClassInfo  (1905590272, 14475956, 14475908, 14475984, 0, ... ) == 0xc049
 01403   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01404   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc04b
 01405   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01406   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc04d
 01407   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01408   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc04f
 01409   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc051
 01410   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01411   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc053
 01412   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01413   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc055
 01414   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc057
 01415   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01416   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc059
 01417   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10013
 01418   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc05b
 01419   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01420   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc05d
 01421   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01422   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc05f
 01423   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01424   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc017
 01425   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01426   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc019
 01427   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10013
 01428   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc018
 01429   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01430   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc01a
 01431   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01432   744   NtUserRegisterClassExWOW  (14475792, 14475872, 14475856, 14475888, 0, 384, 0, ... ) == 0x810bc01c
 01433   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01434   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc01e
 01435   744   NtUserFindExistingCursorIcon  (14475340, 14475356, 14475924, ... ) == 0x10011
 01436   744   NtUserRegisterClassExWOW  (14475852, 14475932, 14475916, 14475948, 0, 384, 0, ... ) == 0x810bc01b
 01437   744   NtUserFindExistingCursorIcon  (14475336, 14475352, 14475920, ... ) == 0x10011
 01438   744   NtUserRegisterClassExWOW  (14475848, 14475928, 14475912, 14475944, 0, 384, 0, ... ) == 0x810bc068
 01439   744   NtUserFindExistingCursorIcon  (14475344, 14475360, 14475928, ... ) == 0x10011
 01440   744   NtUserRegisterClassExWOW  (14475796, 14475876, 14475860, 14475892, 0, 384, 0, ... ) == 0x810bc06a
 01441   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc03b
 01442   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc03d
 01443   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc03f
 01444   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc041
 01445   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc043
 01446   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc045
 01447   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc047
 01448   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc049
 01449   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc04b
 01450   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc04d
 01451   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc04f
 01452   744   NtUserGetClassInfo  (1999896576, 14478860, 14478812, 14478888, 0, ... ) == 0xc051
 01453   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc053
 01454   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc055
 01455   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc059
 01456   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc05b
 01457   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc05d
 01458   744   NtUserGetClassInfo  (1999896576, 14478856, 14478808, 14478884, 0, ... ) == 0xc05f
 01459   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01460   744   NtCreateSemaphore  (0x1f0003, {24, 60, 0x80, 1375656, 0,  (0x1f0003, {24, 60, 0x80, 1375656, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 244, ) }, 0, 2147483647, ... 244, ) == STATUS_OBJECT_NAME_EXISTS
 01461   744   NtReleaseSemaphore  (244, 1, ... 0, ) == 0x0
 01462   744   NtWaitForSingleObject  (244, 0, {0, 0}, ... ) == 0x0
 01463   744   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 256, 2, ) }, 0, 0x0, 0, ... 256, 2, ) == 0x0
 01464   744   NtQueryValueKey  (256,  (256, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01465   744   NtClose  (256, ... ) == 0x0
 01466   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 14479380, ... ) }, 14479380, ... ) == 0x0
 01467   744   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 256, 2, ) }, 0, 0x0, 0, ... 256, 2, ) == 0x0
 01468   744   NtSetValueKey  (256,  (256, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (256, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01469   744   NtClose  (256, ... ) == 0x0
 01470   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 14480712, ... ) }, 14480712, ... ) == 0x0
 01471   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 14480444, ... ) }, 14480444, ... ) == 0x0
 01472   744   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 256, {status=0x0, info=1}, ) }, 7, 2113568, ... 256, {status=0x0, info=1}, ) == 0x0
 01473   744   NtSetInformationFile  (256, 14480420, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01474   744   NtClose  (256, ... ) == 0x0
 01475   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 14480444, ... ) }, 14480444, ... ) == 0x0
 01476   744   NtQueryValueKey  (240,  (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01477   744   NtQueryValueKey  (240,  (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01478   744   NtQueryValueKey  (240,  (240, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01479   744   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 256, ) }, ... 256, ) == 0x0
 01480   744   NtOpenKey  (0xf, {24, 256, 0x40, 0, 0,  (0xf, {24, 256, 0x40, 0, 0, "Paths"}, ... 260, ) }, ... 260, ) == 0x0
 01481   744   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Path1"}, ... 264, ) }, ... 264, ) == 0x0
 01482   744   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Path2"}, ... 268, ) }, ... 268, ) == 0x0
 01483   744   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Path3"}, ... 272, ) }, ... 272, ) == 0x0
 01484   744   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Path4"}, ... 276, ) }, ... 276, ) == 0x0
 01485   744   NtOpenKey  (0xf, {24, 256, 0x40, 0, 0,  (0xf, {24, 256, 0x40, 0, 0, "Special Paths"}, ... 280, ) }, ... 280, ) == 0x0
 01486   744   NtSetValueKey  (260,  (260, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (260, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01487   744   NtSetValueKey  (260,  (260, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (260, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01488   744   NtSetValueKey  (264,  (264, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (264, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01489   744   NtSetValueKey  (268,  (268, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (268, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01490   744   NtSetValueKey  (272,  (272, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (272, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01491   744   NtSetValueKey  (276,  (276, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (276, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01492   744   NtSetValueKey  (264,  (264, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (264, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01493   744   NtSetValueKey  (268,  (268, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (268, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01494   744   NtSetValueKey  (272,  (272, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (272, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01495   744   NtSetValueKey  (276,  (276, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (276, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01496   744   NtClose  (276, ... ) == 0x0
 01497   744   NtClose  (272, ... ) == 0x0
 01498   744   NtClose  (268, ... ) == 0x0
 01499   744   NtClose  (264, ... ) == 0x0
 01500   744   NtClose  (260, ... ) == 0x0
 01501   744   NtClose  (280, ... ) == 0x0
 01502   744   NtClose  (256, ... ) == 0x0
 01503   744   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "Cookies"}, ... 256, ) }, ... 256, ) == 0x0
 01504   744   NtQueryValueKey  (256,  (256, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01505   744   NtClose  (256, ... ) == 0x0
 01506   744   NtClose  (240, ... ) == 0x0
 01507   744   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "Cookies"}, ... 240, ) }, ... 240, ) == 0x0
 01508   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01509   744   NtReleaseSemaphore  (244, 1, ... 0, ) == 0x0
 01510   744   NtWaitForSingleObject  (244, 0, {0, 0}, ... ) == 0x0
 01511   744   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 256, 2, ) }, 0, 0x0, 0, ... 256, 2, ) == 0x0
 01512   744   NtQueryValueKey  (256,  (256, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01513   744   NtClose  (256, ... ) == 0x0
 01514   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 14479380, ... ) }, 14479380, ... ) == 0x0
 01515   744   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 256, 2, ) }, 0, 0x0, 0, ... 256, 2, ) == 0x0
 01516   744   NtSetValueKey  (256,  (256, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (256, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01517   744   NtClose  (256, ... ) == 0x0
 01518   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 14480712, ... ) }, 14480712, ... ) == 0x0
 01519   744   NtQueryValueKey  (240,  (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01520   744   NtQueryValueKey  (240,  (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (240, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01521   744   NtQueryValueKey  (240,  (240, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01522   744   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "History"}, ... 256, ) }, ... 256, ) == 0x0
 01523   744   NtQueryValueKey  (256,  (256, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01524   744   NtClose  (256, ... ) == 0x0
 01525   744   NtClose  (240, ... ) == 0x0
 01526   744   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "History"}, ... 240, ) }, ... 240, ) == 0x0
 01527   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01528   744   NtReleaseSemaphore  (244, 1, ... 0, ) == 0x0
 01529   744   NtWaitForSingleObject  (244, 0, {0, 0}, ... ) == 0x0
 01530   744   NtCreateKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 256, 2, ) }, 0, 0x0, 0, ... 256, 2, ) == 0x0
 01531   744   NtQueryValueKey  (256,  (256, "History", P , P